Using Case Sensitive IPv6 Addressing on a Palo Alto

IPv6 brings us enough addresses until the end of the world. Really? Well… No. There was an interesting talk at RIPE77 called “The Art of Running Out of IPv6 Addresses” by Benedikt Stockebrand that concludes that we will run out of IPv6 addresses some day.

Luckily Palo Alto Networks has already added one feature to expand the IPv6 address space by making them case sensitive. That is: you can now differentiate between upper and lower case values “a..f” and “A..F”. Instead of 16 different hexadecimal values you now have 22 which increases the IPv6 space from 2^{128} to about 2^{142}. Here is how it works on the Palo Alto Networks firewall:

Dear reader. Please note that this was my April Fools’ joke of 2019. IPv6 addresses are NOT case sensitive! The screenshots are fake and the math is nonsense. I don’t want to confuse people, especially as this post is listed quite high on Google. Please have a look at all my other IPv6 related blogposts that are more profound. :D

While the original RFC 4291 “IP Version 6 Addressing Architecture” declares IPv6 addresses to be 128 bits long, represented as hexadecimal values from 0..f, the case sensitive addressing scheme has 6 more values, that is:

This increases the overall IPv6 address space with a factor of 16384. Wow! From 16^{32} = 2^{128} = 3.4 x 10^{38} to 22^{32} = 2^{142} = 5.5 x 10^{42}.

Enable IPv6 Case Sensitive Addressing

Palo Alto Networks has implemented this feature with PAN-OS 8.1.0. I am running a PA-220 with PAN-OS 8.1.6 in my lab. You can enable this feature at Device -> Setup -> Session -> Session Settings -> Enable IPv6 Case Sensitive Addressing:

After that you can commit layer 3 (sub-)interface IPv6 addresses that are only different in their lower/upper case notation of the abcdef/ABCDEF values:

Looking at the routing table via the CLI you can additionally verify this working setup (refer to lines 15-18):

However, keep in mind that this will only work if your overall network infrastructure supports this case sensitive IPv6 addressing scheme as well.


Yes, we will run out of IPv6 addresses one day. Since any kind of NAT/NPT solution should be avoided completely, this case sensitivity of IPv6 addresses is a quite good and working approach. Nice to see that Palo Alto Networks has already implemented it.

Featured image “ABC” by Jeremy Brooks is licensed under CC BY-NC 2.0.

3 thoughts on “Using Case Sensitive IPv6 Addressing on a Palo Alto

  1. Guys it dirtiest way to go. RFC newer allowed this in wide. Wakeup DNS are case insensitive! All www are case insensitive almost anywhere! How are you planning to end with this?
    Did you know how you get most of IPv6?
    2 examples that cover 99% of all IPv6 in world:
    A) Hardware+UUID = LinkLocal+PublicPrefix = IPv6
    B) Time+SomeUUID+Magic+PublicPrefix = TempIPv6
    And if you have DHCPv6 and not bugging clients you can assign really static IPv6, then you can disable stateless autoconfig and save IPs for half of plannet from one pure /64.
    Where you see in this 2 examples guy with Uppercase IPv6? – Maybe only on /64 or /46 mask it can be applied but again: who will guarantee that you will not bunnet for guy with same lowercase IP for example? Hm? And win from /64 case sensitive subnet not so big

  2. Quick question: how are you playing CIDR on the Case sensitive IPs? especially considering 6 extra choices per character, which is clearly not an integer number of bits. and even the whole IPv6-CS address is not a whole number of bits either.

    Base-32 or 64 might have been a bit more fun.

Leave a Reply

Your email address will not be published. Required fields are marked *