Episode 40 — IPv4 and IPv6 Basics: Addressing, Notation, and Security-Relevant Differences
In this episode, we’re going to take a topic that can look like pure math at first glance and turn it into something you can actually reason about for security. I P addressing is how devices and services are identified on networks, and it shapes what can talk to what, what can be reached from where, and what defenders can monitor and control. IPv4 and IPv6 are two versions of Internet Protocol (I P), and both are still relevant because the world is in a long transition where you often see both at the same time. Beginners sometimes treat the difference as just a longer address format, but the differences influence security in ways that matter, especially around exposure, scanning, and how organizations design their networks. We’ll focus on three practical pieces: how addresses are structured, how notation works so you can recognize what you are seeing, and what changes about security thinking when you move from IPv4 to IPv6. By the end, you should feel comfortable reading common address formats and explaining why IPv6 changes the conversation for network security.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
A useful way to approach I P addresses is to treat them as labels that make routing possible, because without labels, packets cannot find their destination across many networks. An address is not a human-friendly name like a website domain, but a network-friendly identifier that routers use to forward traffic toward the correct network and device. For security, that means addresses affect reachability, and reachability affects risk. If a system has an address that is reachable from the internet, it can be attacked from the internet. If it is not reachable, attackers have to find another path, such as compromising an internal system first. Addressing is also tied to segmentation, which is the practice of dividing networks into zones to limit what can talk to what. When you see an address and a prefix, you can often infer what network it belongs to and whether it is likely internal or external. Beginners sometimes think addresses are just for network engineers, but security teams rely on addressing concepts to write policies, interpret logs, and understand incidents. If you cannot interpret addresses, network activity becomes a blur of numbers with no meaning.
IPv4 is the older and still widely used version, and it uses 32-bit addresses, typically written as four decimal numbers separated by dots. Each number represents a byte, meaning it ranges from 0 to 255, and the four numbers together represent the full address. People call this dotted-decimal notation, and you will see it everywhere in logs, firewall rules, and network documentation. A typical IPv4 address might look like 192.0.2.10, and you do not need to memorize specific examples to understand the pattern. What matters is recognizing that IPv4 has a limited number of possible addresses, which is one of the reasons the world needed IPv6. That limitation shaped the internet in ways that matter for security, especially through techniques that allow many devices to share a smaller number of public addresses. Beginners often assume every device has a unique public address, but IPv4 scarcity pushed networks toward sharing and translation, which changes how traffic looks and how attacks can be traced.
A key IPv4 concept tied to notation is the idea of a subnet, which is a way of describing a block of addresses that belong to the same network segment. In modern practice, subnets are usually written using Classless Inter-Domain Routing (C I D R) notation, which expresses an address and a prefix length, like 10.0.0.0/24. The number after the slash indicates how many bits describe the network portion of the address, with the remaining bits used for host addresses within that network. You do not have to do bit math in your head to gain security value from this, but you should understand what the notation communicates: it defines a range of addresses and a boundary between network and host. For security, that boundary matters because firewall rules and routing rules often apply to ranges, not to single addresses. If a rule allows 10.0.0.0/24, it is allowing a block, not just one device. Beginners sometimes see the slash notation and panic, but the conceptual takeaway is simple: the slash number tells you how large the network is, and larger networks create larger attack surfaces if not segmented thoughtfully.
Another IPv4 security-relevant reality is the widespread use of Network Address Translation (N A T), which allows many internal devices to share one or a few public IPv4 addresses. N A T was born out of IPv4 address scarcity, and it became common in home networks and many enterprise networks. For security thinking, N A T changes how visibility and attribution work. From the outside, many devices may appear as one public address, which can make it harder to tell which internal system generated traffic without additional internal logs. It also creates a kind of incidental barrier, because internal devices behind N A T often are not directly reachable from the internet unless specific port forwarding rules are set up. Beginners sometimes assume this means N A T is a security control, but that is a misunderstanding. N A T can reduce direct exposure in some configurations, but it is not a substitute for firewalls, segmentation, and proper access controls. Security teams must still assume that internal networks can be breached and must still design defenses accordingly. Understanding N A T helps you interpret why internal addresses show up in logs and how external-facing services are exposed.
IPv6 was designed to address IPv4 limitations, especially the limited address space, and it uses 128-bit addresses, which is a huge increase in the number of possible addresses. This is why IPv6 addresses look longer, and why they are written in hexadecimal, using numbers and letters, separated by colons. A full IPv6 address can look intimidating, but the notation has rules that make it manageable. One rule is that leading zeros within a group can be omitted, and another is that a sequence of all-zero groups can be compressed using a double colon, but only once in an address. These conventions reduce visual clutter, but they can also confuse beginners because the same address can be written in multiple valid ways. The key is to recognize the structure: IPv6 is typically written as eight groups, each group representing 16 bits, and the groups are separated by colons. You do not need to memorize every notation rule, but you should be able to recognize an IPv6 address when you see it and understand that it represents a large address space with different operational assumptions. That address space is not just a technical curiosity; it changes how scanning, allocation, and exposure work.
IPv6 also uses prefix notation similar to IPv4, such as 2001:db8::/32, where the slash number indicates the length of the network prefix. The concept is the same: it defines a range and a boundary between network and host. In practice, many IPv6 networks use a /64 for local subnets, and while you do not need to memorize that as trivia, you should understand the security implication of large subnets. An IPv6 subnet can contain an enormous number of addresses, which makes blind scanning much harder because there are far more possible targets. Beginners sometimes assume this means IPv6 is automatically safer, but that conclusion is too simplistic. Attackers can still find targets through other methods, like listening to traffic, using DNS, exploiting known services, or compromising one device and then enumerating neighbors. The key security difference is that the address space changes the attacker’s strategy, not necessarily the attacker’s success. For defenders, it means monitoring and asset inventory become even more important because you cannot assume that scanning will reveal everything quickly. Understanding prefixes helps you think about scope and policy, which is central to cloud and enterprise networking.
One of the most security-relevant differences between IPv4 and IPv6 is how exposure is commonly handled. In many IPv6 deployments, devices can have globally routable addresses without needing N A T, because address scarcity is not the constraint it was in IPv4. This can be a benefit because it simplifies end-to-end connectivity, but it can also surprise organizations that assume internal devices are hidden behind translation. If devices have globally reachable IPv6 addresses and firewall policies are not configured carefully, services that were previously internal-only in IPv4 might become reachable through IPv6. This is not a theoretical risk; it is a common class of misconfiguration during transition periods. Beginners should understand that security is not automatically inherited when you add IPv6. You must apply the same principles of least privilege and segmentation to IPv6 traffic, and you must ensure that security policies cover both protocol versions. This is a key point for security thinking: dual-stack environments, where IPv4 and IPv6 both exist, can create gaps if defenders focus only on IPv4. Attackers often look for the forgotten path, and IPv6 can become that path when it is enabled but not monitored.
Another difference that matters is the way IPv6 supports automatic address configuration, which can reduce administrative burden but also introduce new considerations. In many networks, devices can generate their own IPv6 addresses based on network advertisements, which helps them connect without manual configuration. This can be convenient, but it also means addresses can change over time, and a security team must account for that in monitoring and policy design. If addresses are more dynamic, you may rely more on identity and device posture rather than assuming an address always represents the same endpoint. It also means that rogue devices can sometimes join networks more easily if physical controls and network admission controls are weak. Beginners sometimes assume address configuration is purely a networking convenience, but it has security implications because it affects how you identify devices and enforce rules. When you combine this with a large address space, you can see why asset management becomes critical. You need to know what devices are supposed to be on the network, not just what addresses happen to appear.
It is also important to talk about common special IPv6 address types because they show up in real environments and in logs, and recognizing them helps avoid confusion. Link-local addresses, which often start with fe80, are used for communication on the local network segment and are not meant to be routed across the internet. Loopback is still a concept, and IPv6 has its own loopback address. There are also unique local addresses that serve a similar purpose to private IPv4 ranges, providing addresses meant for internal use rather than public routing. Beginners do not need to memorize every prefix, but they should understand that not every IPv6 address is globally reachable. This matters for security because an address’s type influences where it can be used and what threats apply. A link-local address might show up in neighbor discovery and local traffic, while a global address might show up in internet-facing logs. Recognizing these categories helps you interpret what you are seeing during troubleshooting or investigations. It also helps prevent incorrect assumptions, like thinking any IPv6 address implies public exposure. The security mindset is to interpret the context, not just the format.
From a monitoring and incident response viewpoint, IPv6 introduces new challenges and opportunities, mostly because defenders need visibility across both protocols. Logs, firewall rules, and monitoring systems must be configured to capture IPv6 traffic, and teams must be trained to read and interpret IPv6 addresses. During transition, it is common to see environments where IPv4 monitoring is mature while IPv6 monitoring is incomplete, creating blind spots. Attackers can exploit blind spots because suspicious traffic that is not monitored is harder to detect and investigate. IPv6 also affects how you write policies, because a policy that allows or blocks a certain IPv4 range may need a corresponding IPv6 policy to avoid inconsistent exposure. Beginners should understand that security controls do not automatically apply to both protocol versions unless explicitly designed to do so. This is why security teams emphasize defense in depth: even if one monitoring layer misses traffic, other layers should still provide signals. With IPv6, being deliberate about logging, alerting, and segmentation becomes even more important because the address space and configuration behaviors differ. The security lesson is that new protocol adoption must include security adoption, not just connectivity.
A useful way to compare IPv4 and IPv6 for security thinking is to focus on what changes and what stays the same. What stays the same is the core goal of addressing: identifying endpoints so traffic can be routed, and using policies to control reachability. What stays the same is the need for segmentation, least privilege, and consistent firewalling, because reachability remains the foundation of attack surface. What changes is how easy it is to rely on address scarcity and translation as accidental barriers, and how scanning and enumeration tend to work. What changes is the size of subnets, the way addresses are written, and the common deployment pattern of dual stack where both protocol versions exist. Beginners sometimes want a simple answer like IPv6 is more secure or less secure, but the truth is that security depends on configuration and practice. IPv6 can be very secure when monitored, segmented, and managed properly, and it can be risky when enabled without policy and visibility. The protocol changes the environment, but the principles remain consistent.
In conclusion, IPv4 and IPv6 are both methods of addressing and routing traffic using Internet Protocol (I P), and understanding their notation and security-relevant differences helps you think more clearly about exposure and control. IPv4 uses dotted-decimal addresses and often relies on concepts like C I D R ranges and widespread N A T, which can affect how services are exposed and how traffic attribution works. IPv6 uses a much larger address space with colon-separated hexadecimal notation and prefix lengths, and it commonly enables global addressing without the same reliance on N A T, which can simplify connectivity but also create unexpected exposure if policies are incomplete. The large IPv6 address space changes scanning behavior and pushes defenders toward strong asset inventory and monitoring rather than assuming discovery is easy. Dual-stack environments can create security gaps when defenders monitor IPv4 thoroughly but overlook IPv6 paths. The most important takeaway for beginners is that addresses are not just numbers, they are part of security boundaries, and learning to read and reason about IPv4 and IPv6 gives you a practical foundation for understanding reachability, segmentation, and why security controls must be applied consistently across both protocol versions.
