I have an application that allows administrators to specify valid IP addresses from which web service requests can be made. I simply take the configured IP addresses and compare them against the incoming request. Comparing two IPv4 addresses is trivial and I thought comparing two IPv6 addresses would be as well.
However, my networking ignorance started to show when I noticed that IPv6 addresses are a little more complex. One issue I noticed is that if I look at the IP address on the machine (was viewing what VMWare console showed the IP address to be) versus the IP address from the web request (HttpContext.Current.Request.UserHostAddress
within .NET) I noticed that one of them ended in %10 and another in %11:
- ipconfig shows: fe80:8179:5576:c6d0:8b16%11
- UserHostAddress shows: fe80::8179:5576:c6d0:8b16%10
The only difference is the %10 and %11 - what gives?
I have also seen IPv6 addresses end in "/" followed by 2 digits. Should I just ignore these final 3 digits (if they exist) when doing a comparison? If so, what are the valid alternate endings that I need to look for?
----------- EDIT -------------
Here is my solution based on the answer provided...
I simply store a "scrubbed" IP address and compare that with a "scrubbed" IP address. Using .NET here is how I scrub an IP address. Not the best from a performance standpoint, but it does work. I would rather just do a comparison of the GetAddressBytes()
but I'm using a Dictionary
and I decided against the extra step of creating my own ByteComparer
.
IPAddress incomingIp = null;
bool ipAddressParsePassed = IPAddress.TryParse(userHostAddress, out incomingIp);
if (ipAddressParsePassed)
{
IPAddress scrubbedIp = new IPAddress(incomingIp.GetAddressBytes());
string scrubbedIpStr = scrubbedIp.ToString()
}
Wikipedia states:
Because all link-local addresses in a
host have a common prefix, normal
routing procedures cannot be used to
choose the outgoing interface when
sending packets to a link-local
destination. A special identifier,
known as a zone index, is needed to
provide the additional routing
information; in the case of link-local
addresses, zone indices correspond to
interface identifiers.
When an address is written textually,
the zone index is appended to the
address, separated by a percent sign
"%". The actual syntax of zone indices
depends on the operating system [...]
So, those suffixes are zone indicators, that associate the address with a physical interface. This also explains why the suffices differ between wired and wireless interfaces, for instance.
To help answer the question, I don't think the suffixes should be included in any comparison. IPv6 addresses are 128 bits by definition, and the suffixes are strictly local information that does not make sense outside your own machine and it's current operating system.
Comparing the 128 bits should be enough.
The only difference is the %10 and %11
- what gives?
These are IPv6 zone identifiers, link-local addresses, i.e. fe80 prefix, are only guaranteed unique on the local link. This means that the addresses fe80:8179:5576:c6d0:8b16%11 and fe80::8179:5576:c6d0:8b16%10 may refer to different machines, one has to be accessed through interface 10 and the other through interface 11.
Have a look at the definition of sockaddr_in6,
struct sockaddr_in6 {
short sin6_family;
u_short sin6_port;
u_long sin6_flowinfo;
struct in6_addr sin6_addr;
u_long sin6_scope_id;
};
You will need to compare the family, address, and scope-id fields for a complete match.
Addresses with a / and a number at the end use Classless Inter-Domain Routing (CIDR) notation. They can denote an actual address or a network. If there's a zero or :: before the / then it's a network.
CIDR notation
IPv6 is just a 128-bit versus 32-bit in IPv4; you should just be able to do a byte by byte comparison.