IPv6 brings us enough addresses until the end of the world. Really? Well… No. There was an interesting talk at RIPE77 called “The Art of Running Out of IPv6 Addresses” by Benedikt Stockebrand that concludes that we will run out of IPv6 addresses some day.
Luckily Palo Alto Networks has already added one feature to expand the IPv6 address space by making them case sensitive. That is: you can now differentiate between upper and lower case values “a..f” and “A..F”. Instead of 16 different hexadecimal values you now have 22 which increases the IPv6 space from to about . Here is how it works on the Palo Alto Networks firewall:
While the original RFC 4291 “IP Version 6 Addressing Architecture” declares IPv6 addresses to be 128 bits long, represented as hexadecimal values from 0..f, the case sensitive addressing scheme has 6 more values, that is:
0123456789 abcdef ABCDEF
This increases the overall IPv6 address space with a factor of 16384. Wow! From to .
Enable IPv6 Case Sensitive Addressing
Palo Alto Networks has implemented this feature with PAN-OS 8.1.0. I am running a PA-220 with PAN-OS 8.1.6 in my lab. You can enable this feature at Device -> Setup -> Session -> Session Settings -> Enable IPv6 Case Sensitive Addressing:
After that you can commit layer 3 (sub-)interface IPv6 addresses that are only different in their lower/upper case notation of the abcdef/ABCDEF values:
Looking at the routing table via the CLI you can additionally verify this working setup (refer to lines 15-18):
weberjoh@pa> show routing route afi ipv6
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
destination nexthop metric flags age interface next-AS
::/0 2001:470:1f0b:1024::1 10 A S ethernet1/2
2001:470:1f0b:1024::/64 2001:470:1f0b:1024::2 0 A C ethernet1/2
2001:470:1f0b:1024::2/128 :: 0 A H
2001:470:765b::/64 2001:470:765b::1 0 A C ethernet1/5.224
2001:470:765b::1/128 :: 0 A H
2001:470:765b:abcd::/64 2001:470:765b:abcd::1 0 A C ethernet1/5.6
2001:470:765b:abcd::1/128 :: 0 A H
2001:470:765b:ABCD::/64 2001:470:765b:ABCD::1 0 A C ethernet1/5.7
2001:470:765b:ABCD::1/128 :: 0 A H
total routes shown: 9
However, keep in mind that this will only work if your overall network infrastructure supports this case sensitive IPv6 addressing scheme as well.
Yes, we will run out of IPv6 addresses one day. Since any kind of NAT/NPT solution should be avoided completely, this case sensitivity of IPv6 addresses is a quite good and working approach. Nice to see that Palo Alto Networks has already implemented it.
Featured image “ABC” by Jeremy Brooks is licensed under CC BY-NC 2.0.
3 thoughts on “Using Case Sensitive IPv6 Addressing on a Palo Alto”
Guys it dirtiest way to go. RFC newer allowed this in wide. Wakeup DNS are case insensitive! All www are case insensitive almost anywhere! How are you planning to end with this?
Did you know how you get most of IPv6?
2 examples that cover 99% of all IPv6 in world:
A) Hardware+UUID = LinkLocal+PublicPrefix = IPv6
B) Time+SomeUUID+Magic+PublicPrefix = TempIPv6
And if you have DHCPv6 and not bugging clients you can assign really static IPv6, then you can disable stateless autoconfig and save IPs for half of plannet from one pure /64.
Where you see in this 2 examples guy with Uppercase IPv6? – Maybe only on /64 or /46 mask it can be applied but again: who will guarantee that you will not bunnet for guy with same lowercase IP for example? Hm? And win from /64 case sensitive subnet not so big
You should move to UX industry ;-)
Quick question: how are you playing CIDR on the Case sensitive IPs? especially considering 6 extra choices per character, which is clearly not an integer number of bits. and even the whole IPv6-CS address is not a whole number of bits either.
Base-32 or 64 might have been a bit more fun.