Subnetting for IPv6: /48 to /64 and Beyond
Learn how IPv6 subnetting differs from IPv4. Understand the /48 to /64 hierarchy, site prefixes, and why a /64 is the standard subnet size.
IPv6 Subnetting Is Different
In IPv4, subnetting is about conserving scarce addresses. In IPv6, the address space is so vast (2^128) that subnetting is purely about network organization. You never need to worry about running out of addresses.
The standard allocation from an ISP looks like:
# UFW example: deny all, allow SSH and HTTPS only
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
sudo ufw enable
The IPv6 Address Hierarchy
wzxhzdk:1
| Level | Prefix | Assigned By | Purpose |
|---|---|---|---|
| /32 | ISP allocation | RIR (ARIN, RIPE) | ISP's total address block |
| /48 | Site allocation | ISP | One customer site |
| /56 | Residential | ISP | Home (256 subnets) |
| /64 | Subnet | Network admin | One network segment |
| /128 | Host | SLAAC/DHCPv6 | Single device |
Why /64 Is the Standard Subnet
Every IPv6 subnet should be a /64 -- no exceptions for normal LANs. This is because:
- SLAAC requires /64 -- Stateless address autoconfiguration generates a 64-bit interface ID.
- Neighbor Discovery assumes /64 -- The protocol operates within /64 boundaries.
- Standards mandate it -- RFC 6164 is the only exception (point-to-point links can use /127).
Never use /112 or /120 to "save" IPv6 addresses on a LAN. The address space is designed to be used generously.
Practical Subnetting Example
Given a /48 allocation of 2001:db8:abcd::/48, create subnets for a campus:
wzxhzdk:2
A structured scheme using the 16-bit subnet ID enables logical grouping: 01xx for Building A, 02xx for Building B, 0fxx for infrastructure.
Nibble Boundaries
In IPv6, it is best practice to subnet on nibble boundaries (4-bit increments). Since IPv6 addresses are written in hexadecimal, each hex digit represents exactly 4 bits. Subnetting on nibble boundaries makes addresses human-readable.
wzxhzdk:3
Point-to-Point Links
RFC 6164 recommends /127 for point-to-point links (similar to IPv4's /31). This prevents the "ping-pong" attack where a packet addressed to the subnet-router anycast address bounces between two routers.
wzxhzdk:4