Designed & Made
in America (DMA)

Internet of Things (IoT) -Security, Privacy, Safety-Platform Development Project Part-2 | BASIL Networks Blog BN'B

11 Nov, 2016

Internet of Things (IoT) -Security, Privacy, Safety-Platform Development Project Part-2

Part 2: IPv4 and IPv6:
The Ins and Outs of IP Internet Addressing

“Creativity expands the mind, stretches it beyond ordinary human comprehension, resulting in the mind being elastic and capable of transcending and discerning complex ideas.” - Michael Bassey Johnson


Lets Get Started: Quick Review to Set the Atmosphere for Part 2
From Part 1 we see there are many categories to address with IoT devices.  We will cover the legal aspects mentioned in Part 1 in our Law and Technology Blog section at another time.  Since this is an IoT design series, our objective is to create a core IoT device development platform from the basics to the complex, complete ready to be implemented, incorporating complete security and end user control, both IPv6 and IPv4 compatible.  BASIL Networks, PLLC always encourages education and growth through understanding the sciences.

As stated in the Part 1, the diminishing of IPv4 Internet addresses was the catalyst for the development of IPv6.  The connection issue with both versions have created a lot of difficulties in understanding the uniqueness between IPv4 and IPv6, what parts of IPv4 will be discontinued, how this affects the privacy of IPv4 and IPv6 customer base.  Where this becomes an issue is converting the home and SOHO network which is primarily IPv4 over to IPv6.  IPv6 20th anniversary RFC1883 IPv6 Specification was published January, 1996 and to date 2016 about 15% of the total global Internet has converted to IPv6, the USA being over 35% at this time.  To put that in perspective, in the USA the government set forth a mandate that all DoD and civilian providers upgrade to IPv6 by 2008.  Well that has been eight years ago and the majority of the ISP (Internet Service Providers) have upgraded at least several of their servers so they met the requirements.  However, the majority of the businesses, SOHO and family home networks are still running IPv4 networks.  There are many published articles outlining the pros and cons about making the transition at this time, it has only been 20 years.  We will address how this transition will affect the privacy of the home and SOHO networks and how much time remains before a mandatory change is imminent.  We are still in the fact gathering educational stage of this series to categorize the unique characteristics of IPv6 and IPv4 in order to create our TSD (Technical Specification Document) used as a guide to design our core IoT development platform.

IPv4 - IPv6: Information Highway Bubble
In this part of our IoT design series we will be covering the basics of the IP (Internt Protocol) addressing, how it works and why it is exposed to any that want to listen in on the global Internet “Information Highway”.   Do not worry about this being to technical to understand, for those that are just beginning to understand IP network technology we will relate this to things you already understand and do naturally. For those more technical including myself found this a refreshing review  hope you will to.

IANA and ICANN: Internet Core Basics
Everything on the Internet "Information Highway" is identified by a number, an IP address to on both ends is required for communications just like cell phone numbers, building addresses and so-on.  So information flows from Point A to Point B.  The TCP/IP (Transmit Control Protocol / Internet Protocol ) is a Point to Point (P2P) protocol.  

There are two major organizations that manage the Internet Protocol throughout the entire Internet, they are, IANA (Internet Assigned Numbers Authority) and ICANN (Internet Corporation of Assigned Names and Numbers).
IANA - Internet Assigned Numbers Authority manages all the IP addresses that are assigned to all the Internet Service Providers globally.   This insures that each IP address is unique in order to comply with the TCP/IP P2P protocol requirements.
ICANN - Internet Corporation of Assigned Names and Numbers manages all domain names associated with IANA IP number assignments.   This insures that a single IP address is assigned to a single domain name.

A Simply Analogy To Understanding The IP Address:
Before we get to technical with IPv4 and IPv6 lets look at something similar that we use and understand in our everyday lives.  Lets say you want to mail a package to a person in another state and what is interesting is that the house number and street name are the same as yours, however the package seems to be able to be delivered without issue.  Great, lets break this down to see how this is works.  To start we will assign some labels to the postage delivery path, here in the USA the ZIP Code is used, since each State has their own Postal ZIP Code this will get the package to a local county region from there the postal delivery agent identifies the street name and number and delivers the package.  Simple table below.

Address From Point A

Address To Point B

ZIP Code, State Prefix
ZIP Code, City Prefix
ZIP Code, County
Street Number and Street Name

ZIP Code, State Prefix
ZIP Code, City Prefix
ZIP Code, County
Street Number and Street Name

So now we have the P2P map for the delivery of the package.  We can easily convert this total delivery system to a numerical system and create four groups or classes for this new numerical system, Class A, B, C and D.  This is now a global number system that is independent of country.   Fortunately the global populous has been using the various postal systems for a several centuries now and have integrated it into their lives as a normal level of knowledge.  The global populous has also integrated usable technology into their lives a normal level of knowledge and now we are expanding that level with the integration of IPv4 and IPv6.  We use the Internet without thinking how it actually functions, the same as we mail a package.  Somewhere in the back of our minds we actually do understand how it works we just do not think about it, we just apply it.   The table below connects the dots for ZIP Codes and Class type networks and crosses that analogy bridge. As we see the Classes identify with groups of the IPv4 and IPv6 protocols and they are the same except for the number of numerical addresses for each group as we will clearly see.

Postal Map Class ID IPv4 IPv6

Zip Code, State Prefix
Zip Code, City Prefix
Zip Code, County
Street Number and Street Name

Class A
Class B
Class C
Class D



Ok we have now been able to reach the actual house of the destination for the package and delivered it.  Ok  so we open the package and find a gift for the kitchen, so lets go one step further and label the rooms in the house also with a numerical identity labeled PortID.  We will address the PortID later on. Lets focus on the addressing paqrt first, the PortID is an addon to the addressing.

Now relating this postal map and classes to the IP protocol addressing scheme seems to be a lot easier when there is an analogy to something we understand.   Since the Internet deployment of a 32 bit protocol yielding four billion (4,294,967,296 = 232) P2P communications, running out of addresses was not really considered probable at the time IPv4 was deployed.  Since the deployment of IPv4 in the late 70's early 80's took less than 10 years growth to realize the limitations of running out of addresses.  Well here we are today and IPv4 has less than 10% remaining addresses.  When we look at the whole world population and growth, this now seems a simple thought that we would run out of four billion address considering there are over 6 billion people on the planet, growth was the catalyst that started the development of IPv6.  Now that we are at this point lets look at the two protocols IPv4 and IPv6 and how they differ.

As we see the postal codes globally were developed on an as needed basis and each country created its own way of coding.  Well the world was populated by many before the "Information Highway" was organized and it was easy to see that a straight numerical system globally would be easier to manage.  The 32 bit addressing scheme for IPv4 protocol is grouped into four octets separated by periods (000-255 decimal, 00-FF hexadecimal).  IPv4 uses the decimal format of 000-255 instead of the hexadecimal that yields, classes A, B, C, and D.  As an example, this website is registered with ICANN as "" to the IPv4 address  IPv4 represents each octet in decimal format however, as we transfer to IPv6 this changes to hexadecimal, and part of the IPv6 address for " becomes 408B:8C33 in hex format.  Figure 1.0 shows the IPv4 protocol addressing.  Considering today's number of registered domain names exceeds one billion and growing.

Figure 1.0 IPv4 IP Address

Switching to the IPv6 Address:
IPv6 is a 128 bit address protocol grouped into eight 16 bit blocks (two octets) that use hexadecimal format (0000-FFFF) separated by a colon.  This gives eight groups of 16 bits in hex format as FD76:938C:03FF:51D3:0000:0000:00D3:000E.  This does get cumbersome at times so to help with the formatting I has shortcuts for displaying the address such as, 0000:0000:0000:0000:0000:0000:408:833 may be written as ::408:833.  Leading 0's are also reduced so the I address IF:938:OFF:513:0000:0000:003:000 may be written as IF:938:FF:513:0:0:D:E.  The size of I is huge, the largest number for 128 bits (2128) or 340x1036 (340 billion, billion, billion, billion) addresses, a bit more addresses than IPv4.   Enough for many devices. Great, the addressing issue with the Internet is fixed so what changed in order to obtain this huge address?

Figure 2.0  IPv6 IP 128 Bit Address Assignments

IPv4 Network Address Translation (NAT) verses IPv6 Unique Local Addressing (ULA)
IPv4 Private Networks: LAN (Local Area Network)
Here is where it starts to differ and become a bit more technical.  IPv4 uses a technique called NAT (Network Address Translation), a technique of using only one global IP address and translating it to a local private block of addresses called a LAN (Local Area Network).  It was created to extend the address range of IPv4 as not to run out of addresses too soon.  NAT became the standard and allowed several devices to be controlled and still have access to the global Internet.  However, whenever you translate data in any form there are delays and software overhead to account for that creates shortcomings using NAT.  Today's new developments in technology such as VoIP and streaming video protocols etc. that require direct point to point global IP addresses create IPv4 limitations and are addressed with special software to identify that a NAT protocol is being used again, at the expense of throughput.  NAT is considered a private LAN and IANA has assigned the following IP ranges, (, ( and  (  These IANA mapped IP addresses have no response on the global Internet and go into the global Internet black hole.  This allows these LAN addresses to be router controlled transferring data to/from the global Internet or WAN (Wide Area Network).  LAN addresses through NAT, (WAN↔NAT↔LAN) are generally used as the private internal network for the home, SOHO and business environment prior to IPv6.

Many IPv4 routers are shipped with a default of or a given IP in order to easily setup the router.  The IPv6 discussion is that since IPv6 allows enough IP addresses to handle devices NAT will no longer be required and will be discontinued.  We will get to how this is handled in the following paragraphs.

IPv6 Private Networks: ULA (Unique Local Address)
Private Networks in IPv6 are handled a bit different.  IPv6 however does have a LAN, but it is called ULA (Unique Local Address), the address is IANA mapped as anything above FDxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, the “difference” being is that the ULA is completely isolated from the outside world and cannot be routed to the Internet like the LAN for IPv4.   The IPv6 ULA must always remain behind the routers global Internet transport mechanism.  IPV6 will be universally implemented over time and is moving towards the home family network environment slowly however this implementation will increase as providers upgrade to IPv6.  Providers like Comcast®, Cox®, Time Warner® and many others are already providing IPv6 connections to their customers.  Keep in mind the majority of home networks are still IPv4 and to requiring them to upgrade to IPv6 may cause other privacy issues as well as incompatible hardware and software issues at this time.  Figure 2.1 shows the IPv6 128 bit addressing format.  The L bit is the top octets least significant bit and determines the ULA or Global Internet mode.  The top eight bits are FC for Global Internet and FD for ULA.  Figure 2.0 above shows the IPv6 protocol address range is large enough to handle all the desired devices that may be connected globally to the Internet.

Figure 2.1 IPv6 Protocol Address Range

At this point we should be asking about the privacy issues and device control with IPv6.  Since the IPv4 NAT is no longer required to translate a block of local addresses in the IPv6 protocol then the devices connected are either totally blocked using ULA or globally routed Internet devices.   The website IPv6 covers everything you ever want to know about IPv6, technical and general, we will be utilizing the technical data for the later parts of this series.

Many of the medium to large businesses have already made the conversion to IPv6, however many are still running IPv4/IPv6 dual system.  This dual-stack IPv6/IPv4 implementation outlined in RFC 2893 allows the IPv4 class for communications between the two protocols and is recognized as, the IPv4-mapped-IPv6 addresses.  Figure 2.2 shows the 128 bit IPv6-IPv4 class addresses which consists of an 80-bit prefix of zeros, the next 16 bits are one, and the remaining, least-significant 32 bits contain the standard IPv4 address mapping.  The IPv6 address would be ::FFFF:  The dual-stack implementation has been argued to introduce more security threats as hosts could be subject to attacks from both IPv4 and IPv6 however, it is the better implementation during the IPv4 to IPv6 conversion process.  On a browser to access an IPv6 site directly would look like http://[0:0:0:0:0:FFFF:]/ notice the brackets enclosing the IPv6 address or for full IPv6 notation http://[0:0:0:0:0:FFFF:408b:4C33]/ ( represented in hex=408B:4C33) and for IPv4 it would just be This dual stack is the interim fix being used for the transition from IPv4 to IPv6.

Figure 2.2 IPv6-IPv4 Dual Stack Mapped Protocol Address Range

Network Privacy Conundrum: “The Big Deal”
As we see the addressing capabilities from IPv4 (32 bit) compared to IPv6 (128 Bit) are over 340x1036 larger.  The issue with the transition to IPv6 is the elimination of IPv4 NAT in the IPv6 protocol and the new requirements for privacy and security with this transition.  The TCP/IP is an OSI (Open System Interconnect) and is just a transport agent for data point to point.  The privacy and security is the responsibility of the user, the TCP/IP just transports data.

Device privacy, blocking the device from the global Internet within an IPv4 network is controlled by a firewall that is generally integrated into the router.  There are many choices for IPv4 routers on the market today and will be for some time.   Some ISP’s supply the routers like Comcast® while others allow you to supply your own.  Either way the majority of these IPv4 routers come with a decent if not robust firewall.  Blocking a single device like a printer from Internet access outside, the IPv4 LAN is an easy task for the IPv4 Firewall, just add the devices IP address to the firewall security policy for outbound and inbound traffic and only the devices connected to the LAN will have access to it while other devices that are on the LAN that are not blocked communicate are translated to have access to the global Internet.  If the user decides to allow the printer address to be routed to the global Internet just remove the security policy block from the firewall.  The router will complete the gateway communications from the LAN to/from the WAN.

The IPv6 class protocol does not include NAT as in IPv4, what IPv6 incorporates is a private network class called ULA (Unique Local Address) area network and this ULA is “not routable” to the global Internet like the IPv4 NAT-LAN is.  There is no NAT like IPv4 directly with IPv6 which brought up an interesting challenge to the Internet Engineering Task Force (IETF) to solve.  The challenge for the time being is answered by the use of the IPv6-IPv4 dual-stack until all the systems are upgraded to IPv6.   The dual-stack will remain in use for some time since less than 20% of the global Internet is IPv6.  The major players like Comcast®, Time Warner® etc. utilize the dual-stack IPv6-IPv4 class in order to accommodate the millions of user’s family and SOHO accounts that are using IPv4 networks.

Summary IPv4:
In IPv4 we used one IP address through NAT and were able to assign by the user without ISP involvement up to 255 devices for each subnet incorporating NAT and control whether these devices were to be blocked from the global Internet or not with a simple security policy through the integrated firewall.  NAT flexibility comes with a throughput issue since additional software overhead is required to translate the LAN to/from the WAN.  In IPv6 we are either on the global Internet “or” on the ULA private network which is not routable to the global Internet.   IPv6 routers that come with integrated firewalls are still being developed and are limited to accommodate the full capabilities of IPv6 at this time.  This will change over time as the demands to upgrade to IPv6 become more applicable.

The IPv6 ULA Challenge: User Control of the IPv6 IoT Devices
On a positive side using IPv6 ULA gives the "ultimate" protection to the private internal network eliminating access to the internal networks from outside hackers.  From this series point of view it eliminates one of the problems of outside control of IoT devices inside the home/SOHO network.  However, if any of the devices have a need to be on the global Internet network in any way, it will have to be on a separate network global IP address with no communications to the ULA private network.

On the not so positive side of the challenge, The IPv6 class protocol allows all devices to be connected to the global Internet, which is the intent of IPv6. Global Internet connected devices are given the ability to talk to each other and be monitored without having to translate addresses through a router (NAT) or special Application Level Gateway (ALG).  Having total device addressing publicly accessible is the future planning of IPv6 communications.  This is where privacy issues appear and have to be addressed.  Imagine someone in another country being able to view your environment or even the vulnerability of being hacked and having your thermostat turned off in sub zero weather in the middle of the night.

Summary IPv6: Device Control with IPv6 On-Line:
Ideally devices connected to IPv6 ULA will communicated to any other device or controller on the ULA and is completely isolated from the global Internet.  In order to actively control a device connected to IPv6 global Internet a separate firewall is required for the specific IP addresses in order to control access from other devices or unwanted hackers.  Keep in mind that those breaches you read about also have very expensive firewalls as well.  IPv6 firewalls for the home and SOHO are still being developed, some of the IPv6 routers available have limited firewall capabilities however, this is expected to change over time since the market is huge and competition will force the development of more robust firewalls.  We will cover firewalls and device control in the design series at a later date.  At this time we are just categorizing the issues we have to take into account for the development platform.

IP Address Ports:  How they are used with the IP Address
We are now ready to bring up the PortID again, remembering the package delivered to the house with a gift for the kitchen, you would want to keep it in the kitchen PortID.  A little about IP address ports, there are 65,535 of them for each IP address, that is like having a house with 65,535 nooks, rooms and little places to put things.  The complete list of port assignments can be found at PORTS.  Ports are used for directing data traffic of a specific type like when you download a file from the Internet using http port 80 or FTP port 21.  Since each IP address has 65,535 (216) ports each address has the capability handling multiple tasks like a web server on http is assigned PortID 80 and a mail server (POP3)  assigned PortID 110 which means data will only travel through the assigned PortID.  IP address ports usage form have not changed from IPv4 to IPv6, they are handled the same way with a slight modification on the IPv6 address notation due to the size.  IPv4 notation would address a PortID at the end of the address with a colon as to access the FTP port on a server.  IPv6 PortID form is very similar http://[0:0:0:0:0:FFFF:408B:4C33]:21 to access the FTP PortID on a server we still use a colon  but it is after the bracketed enclosed IP address.  Ports are still accessed with a colon after the IP address.  As we see with ports they are like a water pipe that services many houses on a street, they may be turned on or off at any time.  PortIDs are used for many different device and server applications as we will cover during the design process for our IoT core platform.

The Family / SOHO IPv4 & IPv6 Networks: Overview
When we look at the typical IPv4 network that is in the home/SOHO environment being used by both family and business as shown in Figure 2.3 below we can easily see how fast the number of devices added to the network increases and if the business starts to grow the decision to add a private e-mail and web server is put on the table.  Private web and e-mail servers allow business protection at a legal level as well as an information protection level.  Many SOHO offices do not have a web server or an e-mail server in the home environment so without the SOHO servers shown in Figure 2.3, family and SOHO networks are the same. Many of the SOHO operations the web and e-mail servers are outsourced, generally to the ISP or some other web hosting platform.  With an IPv4 network device privacy is a simple task as we explained in the Network Privacy Conundrum section above.   The issue is all communications to the global Internet is performed via the LAN where family members and business requirements have shared access.  This shared access creates an interesting challenge since some family members browse social networks, web sites, gaming sites etc. that may or may not have good security guards to prevent a hacker from accessing the family members smart phones, tablets or desktops.  When we look at the majority of homes that have Internet connections we have the typical wireless setup shown in Figure 2.3.  The IPv4 WAN↔NAT↔LAN controls devices through Network Address Translation (NAT) in order to accommodate many devices on a single IP address, it is just added as needed and the Dynamic IP is assigned on the fly.  This IPv4 network is easy to setup and easy to control the devices you want to allow connection to the global Internet.  Figure 2.3 is a typical Wired and/or Wireless network.  The routers today usually have 4 or 8 local hard wired ports that may be used for direct connect to the device or through a switch to add more devices.  Each subnet in IPv4 will handle over 253 devices and are all time shared through one IP address, so if everyone is browsing the Internet at the same time, the throughput speed is divided by the number on-line. Normal throughput for household accounts with cable is in the 10Mbs/5Mbs DownStream/UpStream and 1Mbs/0.5Mbs for non-cable like DSL and Satellite.

There are two types of connections when you setup an Internet account with and ISP, a Static IP address or Dynamic IP address.  The Dynamic IP address is terminated and reissued over a time active period controlled by the ISP, during the renewal all Internet access is terminated usually for a few seconds.  The Static IP address is fixed IP like the IP address for ( and will remain active indefinitely.  This is a recommended type IP for the standard IPv4 WAN connection and is better for running a separate web and e-mail server if it is decided on in the future.  For networks that are not going to run separate servers then any ISP service will work.  If you want to separate the business SOHO from the family which is also recommended to do, you will be required to get an additional IP address.  Generally the ISP would assign a couple of IP address to each account to accommodate this, if not then there would probably be a small additional charge for this.

There is still concern about IPv6 and how addresses are to be controlled and the amount of user interaction over the control of devices on the global Internet.   IPv4 gives the user a lot of control over devices through the IPv4 router and incorporates a separate DHCP (Dynamic Host Configuration Protocol) server.  There is DHCP in IPv6 as well it is labeled DHCPv6 along with a service for the global Internet which is called SLAAC (StateLess Address AutoConfiguration) protocol.  SLAAC allows a device connected to the global Internet to be assigned an address automatically at the global Internet level and start communicating immediately.  There is a manual configuration to this as well, StatefFul, manual address configuration.  This gets a bit more technical and it is the next step to understanding device control with IPv6.  Our next part will cover how IPv4 and IPv6 differ in handling these device protocols.

If this was an IPv6 network you would need a separated IP address for each device and would be linked and no NAT would be used.  The ISP would have to assign a block of IP addresses for each account or charge for each additional IP address as devices are added.  Here at BASIL Networks we have block of a 12 IP addresses that support several servers on-line.  We are using the IPv6-IPv4 gateway class through the ISP for this area.

Figure 2.3 IPv4 Typical Home/SOHO Network

Part 1 Introduction - Setting the Atmosphere for the Series (September 26, 2016)

Part 3 IPv4, IPv6 DHCP, SLAAC and Private Networks - The Automatic Assignment of IP Addressing (November 24, 2016)


Publishing this series on a website or reprinting is authorized by displaying the following, including the hyperlink to BASIL Networks, PLLC either at the beginning or end of each part of this series.

BASIL Networks, PLLC - Internet of Things (IoT) - Security, Privacy, Safety - The Information Plaground Part 2: IPv4 and IPv6: The Ins and Outs of IP Internet Addressing

For Website Link: cut and paste this code:

<p><a href="" target="_blank"> BASIL Networks, PLLC - Internet of Things (IoT) - Security, Privacy, Safety - The Information Plaground Part-2 - IPv4 and IPv6: <i>The Ins and Outs of IP Internet Addressing</i></a> (November 11, 2016)</p>



Sal (JT) Tuzzo - Founder CEO/CTO BASIL Networks, PLLC.
Sal may be contacted directly through this sites Contact Form. or
through LinkedIn


Copyright© 1990-2019 BASIL Networks, PLLC. All rights reserved