Using Case Sensitive IPv6 Addressing on a Palo Alto

IPv6 brings us enough addresses until the end of the world. Really? Well… No. There was an interesting talk at RIPE77 called “The Art of Running Out of IPv6 Addresses” by Benedikt Stockebrand that concludes that we will run out of IPv6 addresses some day .

Luckily Palo Alto Networks has already added one feature to expand the IPv6 address space by making them case sensitive . That is: you can now differentiate between upper and lower case values “a..f” and “A..F”. Instead of 16 different hexadecimal values you now have 22 which increases the IPv6 space from to about . Here is how it works on the Palo Alto Networks firewall:

While the original RFC 4291 “IP Version 6 Addressing Architecture” declares IPv6 addresses to be 128 bits long, represented as hexadecimal values from 0..f, the case sensitive addressing scheme has 6 more values, that is:

0123456789 abcdef ABCDEF

This increases the overall IPv6 address space with a factor of 16384. Wow! From to .

Enable IPv6 Case Sensitive Addressing

Palo Alto Networks has implemented this feature with PAN-OS 8.1.0. I am running a PA-220 with PAN-OS 8.1.6 in my lab. You can enable this feature at Device -> Setup -> Session -> Session Settings -> Enable IPv6 Case Sensitive Addressing :

After that you can commit layer 3 (sub-)interface IPv6 addresses that are only different in their lower/upper case notation of the abcdef/ABCDEF values:

Looking at the routing table via the CLI you can additionally verify this working setup (refer to lines 15-18):

weberjoh@pa> show routing route afi ipv6
 
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
 
 
VIRTUAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS
::/0                                        2001:470:1f0b:1024::1                   10     A S              ethernet1/2
2001:470:1f0b:1024::/64                     2001:470:1f0b:1024::2                   0      A C              ethernet1/2
2001:470:1f0b:1024::2/128                   ::                                      0      A H
2001:470:765b::/64                          2001:470:765b::1                        0      A C              ethernet1/5.224
2001:470:765b::1/128                        ::                                      0      A H
2001:470:765b:abcd::/64                     2001:470:765b:abcd::1                   0      A C              ethernet1/5.6
2001:470:765b:abcd::1/128                   ::                                      0      A H
2001:470:765b:ABCD::/64                     2001:470:765b:ABCD::1                   0      A C              ethernet1/5.7
2001:470:765b:ABCD::1/128                   ::                                      0      A H
total routes shown: 9

However, keep in mind that this will only work if your overall network infrastructure supports this case sensitive IPv6 addressing scheme as well.

Conclusion

Yes, we will run out of IPv6 addresses one day. Since any kind of NAT/NPT solution should be avoided completely, this case sensitivity of IPv6 addresses is a quite good and working approach . Nice to see that Palo Alto Networks has already implemented it.

Featured image “ ABC ” by Jeremy Brooks is licensed under CC BY-NC 2.0 .