OCI IPv6 Unique Local IPv6 Unicast Addresses usage and considerations

May 29, 2024 | 4 minute read
Andrei Stoian
Master Principal Cloud Architect | North America Cloud Engineering
Text Size 100%:

Some time ago we discussed about the IPv6 Unique Local Addresses or for short ULA. What is very interesting at OCI IPv6 ULA is the fact related to how ULA can be used. In this new IPv6 blog, I will present you a real use case I received from one of my customers regarding the OCI IPv6 usage in general and ULA in particular. It will really be very interesting, so, enjoy your reading!

The usage of the OCI IPv6 ULA is straight forward: the prefix is NOT routable to the Internet, and is equivalent to IPv4 private addressing. With ULA, you can assign a /64 prefix or larger to a VCN, simple as that.

When you define the VCN, in the IPv6 Prefixes section you can define the IPv6 ULA that will be used:

ula1

Let's have a look at the red squared example, it is showing an example from FC00::/7. That is correct since the RFC 4193 defines the IPv6 ULA as FC00::/7. If we recall, the 8th most-significant-bit (MSB) is called L or Local bit flag and based on the RFC it indicates a locally assigned prefix when set to 1 and is undefined when set to 0 or may be defined in the future. Thus, technically only prefixes from FD00::/8 should be defined and used (L bit set to 1). In reality, there is nothing preventing an administrator to define and use an IPv6 prefix with the L bit set to 0  thus using the FC00::/8 portion of the allocation.

That being said, the question is: does OCI restrict the usage of IPv6 ULA only to FC00::/7 since the example above is just from FC00::/7? The answer is no and we will go into my customer request.

Looking at the OCI public documentation in respect to IPv6 ULA, we can find the following table and note:

ula2

In another words, when you want to use IPv6 ULA within your VCN you can define any range from FC00::/7 and 2000::/3 but the traffic will neither be routed out to the Internet nor any inbound Internet connections can be established. You can use them for your OCI IPv6 traffic in the same region, between regions or between OCI and On-premises. Sure, you need to make sure they are unique (as the name implies) among all your network segments.

This was the very first question raised by my customer, if their own routable IPv6 space (from GUA range) can be used inside OCI but treated as "private" and used only for private IPv6 connectivity. For this question the answer is obvious and explained above. 

Let's run a quick test and verify the above statements.

  • Define the IPv6 ULA for VCN as a /48 from the GUA space:

ula3

  • Define two IPv6 subnets as /64 from the above space:

ula5

  • Traffic testing between two VMs using the IPv6 addresses assigned:

ula6

The first question is now concluded.

My customer had another question for a configuration that needs to be done in the future. Taking into account the fact that the customer IPv6 ULA space is actually an Internet routable one from the GUA space, their second question was related to the IPv6 BYOIP process.

In the future, once the IPv6 BYOIP process will be completed and OCI will announce to the Internet the very same IPv6 prefix that was used as ULA, the already assigned IPv6 addresses will be routable to the Internet (taking into account the subnets were defined as public)?

Let's explore a little bit the answer to this question.

If we look carefully at the below picture we will notice three IPv6 pools, each pool with its own routing characteristics:

ula7

Oracle-allocated IPv6 Prefix - Internet routable

BYOIP IPv6 Prefix - Internet routable

ULA IPv6 Prefixes - Private communcation only

It is clear now that if we want to have Internet routable IPv6 traffic, our IPv6 addresses needs to be assigned from the BYOIP space and not from ULA IPv6 space. That being said, in the future, once the IPv6 BYOIP process will be completed, we need to delete from the VNIC the associated IPv6 address from ULA space and assign a new one from the IPv6 BYOIP space.

I do hope that now we have a better clarity of the usage of the IPv6 ULA space within OCI for our use case when ULA is from the GUA space and this IPv6 prefix will also be part of the BYOIP process.

Andrei Stoian

Master Principal Cloud Architect | North America Cloud Engineering


Previous Post

An OIC Implementation with Complex Data Transformation

Siming Mu | 5 min read

Next Post


Minimize the number of OCI IAM Policy Statements required to implement your OCI Authorization Model - Part 2

Gordon Trevorrow | 8 min read