User:Jasper Deng/IPv6/non-technical

This is a non-technical guide to dealing with IPv6. It expects that you are familiar with blocking IP addresses.

What is IPv6?
IPv6 stands for Internet Protocol version 6. It is the successor to IPv4 (Internet Protocol version 4). Until 6 June 2012, the term IP address only referred to addresses in the latter protocol. An example would be 23.8.23.126.

That is referred to as an IPv4 address. It represents the binary value of a sequence of 32 bits. On the other hand, an IPv6 address may look like 2001:db8:93f:bac::39. It is the value of a sequence of 128 bits, using hexadecimal (base-16). It is important to memorize that the letters A-F mean the single-digit values of 10-15, respectively (thus C in hexadecimal means 12 in the common base-10 system).

The syntax of an IPv6 address is [4 base-16 digits]:[4 base-16 digits]:[4 base-16 digits]:[4 base-16 digits]:[4 base-16 digits]:[4 base-16 digits]:[4 base-16 digits]:[4 base-16 digits] (without brackets). Then why, you ask, does the example address given in the paragraph above not agree with this syntax? As it turns out, IPv6 addresses, unlike IPv4 addresses, can contract. In other words, an IPv6 address can be written in several ways, using the following rules, both of which MediaWiki uses: Because IPv6 addresses are case insensitive, MediaWiki presents them with all letter digits lower-case. However, in the title of an IPv6 user's talk page, and in certain other contexts, the letters are rendered as uppercase.
 * 1) A single set of consecutive groups of 4 base-16 digits (not separated by a colon/all digits are together between same colon set) all set to zero can be replaced by :: in an address (only once in a particular address). Thus 2001:db8:0000:0000:abcd:de09:0000:0000 can become 2001:db8::abcd:de09:0000:0000 or 2001:db8:0000:0000:abcd:de09:: using this rule only.
 * 2) Leading zeros within any group of 4 base-16 digits (again, not separated by a colon) can be omitted. Thus the example 2001:db8:0000:0000:0000:0bcd:00dc:000a can become 2001:db8:0:0:0:bcd:dc:a using this rule only. If rule 1 is not applicable to a group of 4 zeros (as is the case when there are more than one collapsable series of zeros in the address), then that group can still be reduced to a single 0.

Why IPv6?
Each bit can have two different values, thus the 32 bits of an IPv4 address can have 232=4,294,967,296 different values, and thus that many addresses. However, with 15 billion Internet devices forecast to be online by only 2015, IPv4's 4.3 billion addresses is not enough, and this is becoming a problem for the Internet. This has resulted in several users sharing the same IPv4 address using NAT. As the demand for Internet connections increases, more and more users must use NAT because more addresses have to be shared among multiple users.

This also has major implications on wikis like Wikipedia that record IP addresses. Blocking a single IPv4 address becomes more and more likely to cause collateral damage because of one bad egg out of many. It also increases the likelihood of users being linked by CheckUser, even if no actual sockpuppetry has occured for innocent accounts.

The solution is to begin using IPv6. Because 2128=340,282,366,920,938,463,463,374,607,431,768,211,456 possible IPv6 addresses, IPv6 avoids the collateral damage problems imminent with IPv4. It was enabled on Wikimedia Foundation wikis on 6 June 2012.

I am an administrator. What does it mean for me?

 * You'll have to distinguish IPv6 addresses from accounts, especially accounts with names resembling IPv6 addresses.
 * Be more comfortable doing rangeblocks, since it is more likely that a single user can jump IPv6 addresses.
 * IPv6 open proxies do exist. Always consider this possibility.
 * Blocking IP addresses does have a list of sensitive IPv6 addresses, but do not rely on it being complete. Always check the WHOIS to make sure the organization you've blocked is not on the list of sensitive addresses. If it is, update the table on the policy page with the range(s) you found.
 * Do not be tempted to rangeblock a user's entire LAN, unless you know that the user will and has jumped IPv6 addresses.

I am a CheckUser. What does it mean for me?

 * Be wary of saying two users are "confirmed" if they use the same tunnelbroker. Tunnelbrokers, in general, are not a reliable indication of location or relation, with the exception of SixXS which has its own WHOIS database (Contact abuse@sixxs.net to report problems, which might lead to disabling of the connectivity for the given tunnel given enough proof and non-response of the user).
 * Always check the WHOIS of an IPv6 address to determine whether it is a tunnelbroker address. WHOIS entries like SixXS, Gogo6, and Hurricane Electric often mean you've got a tunnelbroker address.
 * 6to4 (2002:*) and Teredo (2001:0:*) tunnel addresses will not have WHOIS. Instead you must deduce the IPv4 address of the user and rely on that for location.
 * IPv6 open proxies do exist. Do not discount the possibility. (IPv6Gate which does both IPv4<->IPv6 and IPv6<->IPv4 proxying, includes HTTP X-Forwarded-For/Via headers and includes details in the User-Agent information to disclose the real user).
 * CheckUser supports checking a /32 range (with the first 2 groups of digits all the same in a /32). Do not be afraid to check a user's range for this reason.

How do I do an IPv6 rangeblock?
You'll have to be familiar with CIDR notation. See mw:Help:Range blocks/IPv6 for more information.

I develop a script that deals with user IP addresses. What do I do?
WikiProject IPv6's tasks include fixing such scripts.