IPv6 is well designed. The model of scopes and zones along with the zone isolation principle is based on solid mathematical standards and can provide straight answers to tricky questions regarding packets with mixed source and destination address scopes. Can a packet with a link-local or ULA address reach the global destination? There is no doubt about that, at least not in IPv6 theory.
Ivan Pepelnjak was discussing the usage of ULA (Unique Local Addresses) recently in one of his blog post at ipSpace. He says: “If the destination IPv6 address is a global IPv6 address and the source host has an ULA address but no global IPv6 address, it tries to use the ULA source IPv6 address (and might reach the destination or not).”. To understand why this can actually work, it is necessary to have some insight about scopes and zone in IPv6, and the basic rules that dictate the packet forwarding within the scope zone.
Here is a simple question for you. You have two IPv6 systems, node N1 and node N2, connected to each other with a link L12 as depicted below:
N1 has interface i1 with link-local address only, fe80::1 in our example – on the other hand, N2 has two IPv6 addresses on its interface i2, link-local (fe80::<something>) and a unicast-global address 2001:db8::2. N1 has a default route to reach the IPv6 internet pointing via i1 to i2, N2 has no routing enabled. N1 and N2 have no other interfaces in our example.
The question is:
Will “ping” from a link-local source i1 at N1 to a global destination i2 at N2 work?
I admit I was not sure about the answer at first because I was “taught” that a link-local source can not reach the global address ever. But this is a very oversimplified statement, wrong even. Actually, what is required and sufficient for a successful communication in our case is that the interface which is sending the packet (source interface) is part of this packet’s destination address zone and the interface that receives the packet (destination interface) is in the packet’s source address zone. Therefore, a packet will never leave a zone.
By the way, I’ve found some very nice explanations about IPv6 Address Scope and Zone in the IPv6 for IPv4 Experts book, written by Yar Tikhiy. This book is very special in a way it explains the IPv6 principles. It is not written as a technical manual but as a true story about IPv6 :-). Of course, reading RFCs, like RFC 4007 – IPv6 Scoped Address Architecture also helps.
So, let us define the scopes and the zones first.
- IPv6 address defines a scope. Scope is a topological span within which the address is meaningful as a unique identifier of a network interface (or of a set of interfaces, in case of a multicast address).
- A scope zone, or simply a zone, is a connected region of topology of a given scope (RFC 4007).
- Zone boundaries cut through nodes, not through links.
- There is no partial overlap between zones.
- A zone of a larger scope can fully contain zones of smaller scope.
(Programmers, you can think of a scope as an abstract class and of a zone as a specific object derived from that class.)
This is the important rule: Zone isolation principle demands that the entire path of a packet whose source or destination address is from a particular zone must stay within that zone boundaries.
IPv6 interface belongs to a certain zone of each possible scope, that is – each IPv6 interface is attached to no more than one zone of each scope. As show on the following picture, the interface with its link-local address is in the link zone and at the same time this interface with its global address is part of the global zone called Internet:
So, what happens with
N1> ping 2001:db8::2 source fe80::1? Packet can be sent from node N1 because the sending interface i1 is part of the global internet zone, same as the destination address 2001:db8::2. This is true because interface i1 is the default gateway for N1. The egress interface i1 is part of both zones, link L12 and internet.
When packet is received by N2, its source address is link-local scope, same as the zone (link L12) of the receiving interface i2. Similar arguments hold for the reply. Source i2 is in the same zone as the destination address fe80::1 (zone link L12) and receiving interface i1 is in the same zone as source address 2001:db8::2 (internet). Therefore, ping should work fine. Go ahead and try it in your little lab ;-). Then try to answer and explain this one:
N1> ping 2001:db8:ffff::f source fe80::1work?