IPv6 SLAAC and DHCPv6

SLAAC and DHCPv6
Rick Graziani
Cabrillo College
Rick.Graziani@cabrillo.edu
Got
IPv6?
STEAL MY
STUFF!
Shameless plug:
www.cabrillo.edu/~rgraziani/ipv6.html
IPv6 Fundamentals: A Straightforward

Approach to Understanding IPv6
By Rick Graziani
ISBN-10: 1-58714-313-5
Username = cisco
Password = perlman
IPv6 Fundamentals LiveLessons: A

Straightforward Approach to Understanding IPv6
By Rick Graziani
ISBN-10: 1-58720-457-6
Introduction to SLAAC (Stateless Address Autoconfiguration)
Stateful vs Stateless
DHCPv6
Server
STATEFUL: I need
an IPv6 address
from someone who
is keeping track of
who has what
address.
STATELESS: I will
come up with my own
IPv6 address. No
one will keep track of
what address I have.
IHey!
mightI can
not even
do that!
be
needed.

Stateful Some server is keeping track or a record of the interaction.

Stateless No one is keeping track or a record. But I can still make sure
mine is unique.
Dynamic IPv6 Address Allocation

Global Unicast
Manual
Dynamic
Stateless
Static
Static + EUI 64
IPv6
unnumbered
Stateful
SLAAC
DHCPv6
SLAAC +
DHCPv6
DHCPv6-PD
Dynamic IPv4 Address Allocation

I need an IPv4 addressing
information from a DHCP server.
DHCP Server
DHCP Client
Here is your IPv4
address, subnet mask,
default gateway and
DNS server addresses.
It Begins with the RA Message

Router(config)# ipv6 unicast-routing
ICMPv6
ICMPv6 Router
Router Advertisement
Advertisement
ICMPv6
ICMPv6 Router
Router Solicitation
Solicitation
Multicast: To all
IPv6 routers, I need
IPv6 address
information
DHCPv6
Server
Multicast: To all
IPv6 devices,
I might not even be
let me tell you how
needed.
to do this
An ICMPv6 Router Advertisement (RA) suggests to all IPv6 devices on the
link how it will receive IPv6 Address Information.
Sent periodically by an IPv6 router or
when the router receives a Router Solicitation message from a host.
Routers can be configured with IPv6 addresses without being an IPv6 router.
Routers versus IPv6 Routers

2001:DB8:CAFE:1::1/64
FE80::1
Router
FF02::1 (All-IPv6 devices)
2001:DB8:CAFE:1::1/64
FE80::1
IPv6 Router
A router (not enabled as an IPv6 router):

Configure IPv6 addresses
Member of All-IPv6 devices multicast group
An IPv6 router:
Same as a non-IPv6 router
Member of All-IPv6 routers multicast group
Sends ICMPv6 Router Advertisement messages
Can enable IPv6 routing protocols
Forward IPv6 packets (transiting the router)

FF02::2 (All-IPv6 routers)
ICMPv6
ICMPv6 Router
Router
Advertisement
Advertisement
RIPng
RIPng OSPFv3
OSPFv3
EIGRP
EIGRP for
for IPv6
IPv6
Forward
Forward IPv6
IPv6 Packets
Packets
Option 1 and 2: Stateless Address Autoconfiguration

Router Advertisement:
3 Options
DHCPv6 Server does not maintain state of addresses
Option 3: Stateful Address Configuration
Address received from DHCPv6 Server
DHCPv6
Option 1: SLAAC No DHCPv6 (Default on Cisco routers)
DHCPv6 Server
Im everything you need (Prefix, Prefix-length, Default Gateway)

Option 2: SLAAC + Stateless DHCPv6 for DNS address
Here is my information but you need to get other information such
as DNS addresses from a DHCPv6 server. (DNS can be in RA)
RA
RA
Option 3: All addressing except default gateway use DHCPv6

I cant help you. Ask a DHCPv6 server for all your information.
RA Message Options
ICMPv6
ICMPv6 Router
Advertisement
Option
Option 1,
1, 2,
2, or
or 3
3
DHCPv6
Server
The type of Router Advertisement option

depends on two RA flags:
Option
Other Configuration
(O) Flag
Managed Configuration
(M) Flag
Option 1: SLAAC No DHCPv6

(Default on Cisco routers)
Option 2: SLAAC + Stateless

DHCPv6 for DNS address
Option 3: All addressing except

default gateway use DHCPv6
Configuring Flags discussed in Lesson 8.
Obtaining an IPv6 Address Automatically
SLAAC: Stateless Address Autoconfiguration

MAC: 00-19-D2-8C-E0-4C
2001:DB8:CAFE:1::/64
SLAAC Option 1 RA Message

To:
1
2
From: FE80::1 (Link-local address)

Prefix: 2001:DB8:CAFE:1::
RA
Prefix-length: /64
Default Gateway: FE80::1
Prefix-length: /64
Note: Domain name and DNS server list
may be included if router (and end system)
support RFC 6106 IPv6 RA Options for
DNS Configuration.
DHCPv6 Server
Global Unicast Address:

2001:DB8:CAFE:1: + Interface ID
3 EUI-64 Process or
Random 64-bit value
SLAAC: Interface ID
/64
/48
16-bit
Global Routing Prefix
Subnet ID
Operating
System
Windows XP,
Server 2003
EUI-64
Linux
64-bit Interface ID
Random
64-bit
SLAAC
Windows Vista
and newer
MAC OSX
DHCPv6 Server
EUI-64 Process
Randomly Generated Number

(Privacy Extension)
Default OS behavior can be changed.

Known instead of unknown Copyright DOC RABE Media
Man in paper bag on head Copyright binik
SLAAC: EUI-64 Option

MAC: 00-19-D2-8C-E0-4C
2001:DB8:CAFE:1::/64
SLAAC Option 1 RA Message

To:
1
2

RA
Prefix-length: /64
Prefix-length: /64
Note: Domain name and DNS server list
may be included if router (and end system)
support RFC 6106 IPv6 RA Options for
DNS Configuration.
DHCPv6 Server

3 EUI-64 Process or
Random 64-bit value
Modified EUI-64 Format (Extended Unique Identifier64)

OUI (24 bits)
00
19
Device Identifier (24 bits)
D2
8C
E0
4C
Insert FF-FE
00
19
D2
FF
FE
8C
E0
4C
00
19
D2
FF
FE
8C
E0
4C
FF
FE
8C
E0
4C
0000 0010
0000
U/L bit flipped
02
19
D2
Verifying SLAAC
on the PC Using
EUI-64
EUI-64
PC> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
IPv6 Address. . . . . . . . : 2001:db8:cafe:1:0219:d2ff:fe8c:e04c
Link-local IPv6 Address . . : fe80::0219:d2ff:fe8c:e04c
Default Gateway
. . . . . : fe80::1
A 64-bit Interface ID and the EUI-64 process accommodates:

The IEEE specification for a 64-bit MAC address
64-bit boundary processing
Why. The Dude looking at the red question mark Copyright jojje11
SLAAC: Random 64-bit Interface ID

/64
/48
16-bit
Global Routing Prefix
Subnet ID
Operating
System
Windows XP,
Server 2003
EUI-64
Windows Vista
and newer
MAC OSX
Linux
Random
64-bit
DHCPv6 Server
64-bit Interface ID
SLAAC
EUI-64 Process
Randomly Generated Number

(Privacy Extension)
Known instead of unknown Copyright DOC RABE Media
Man in paper bag on head Copyright binik
Verifying SLAAC
on the PC Using
Privacy Extension
EUI-64
PC-Windows7> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
No FF-FE
IPv6 Address. . . . . . . . : 2001:db8:cafe:1:50a5:8a35:a5bb:66e1
Link-local IPv6 Address . . : fe80::50a5:8a35:a5bb:66e1
Default Gateway
. . . . . : fe80::1
SLAAC: Including the DNS Server in the RA *

G0/1
2001:DB8:CAFE:1::/64
ICMPv6
ICMPv6 Router
Advertisement
Prefix
Prefix and
and other
other information
information
DNS Server
2001:DB8:CAFE:1::99

Router(config)# interface gigabitethernet 0/1
Router(config-if)# ipv6 nd ra dns server 2001:db8:cafe:1::99 600
Configures a DNS server with an IPv6 address of 2001:DB8::CAFE:1::1 to be

advertised in an RA with a lifetime of 600 seconds.
Ensuring Unique Unicast Addresses

Global Unicast - 2001:db8:cafe:1:0219:d2ff:fe8c:e04c
Link-local
- fe80::50a5:8a35:a5bb:66e1
Neighbor
Neighbor Solicitation
Solicitation
Not received = unique address
Received = duplicate address
Neighbor
Neighbor Advertisement?
Advertisement?
SLAAC is stateless, no entity (DHCPv6 server) maintaining a state addressto-device mappings.

How can we guarantee the address is unique?
Duplicate Address Detection (DAD)
Once required for all unicast addresses (static or dynamic), RFC was
updated that DAD is only recommended.
/64 Interface IDs!
You Are Probably Already Running IPv6

IPv4
IPv6
RS
IPv4
IPv6
R1
Here is an
IPv6 prefix
and
gateway
Rogue
RA
IPv4
IPv6
I need an
IPv6 prefix
Windows Vista or later, Mac OSX, Linux already running IPv6

Potential DoS or MITM attack, even if the router is not IPv6 enabled.
Even if the router is not IPv6 enabled, your clients are mostly like are!
I can still do a DoS attack on clients or perhaps even still to a MITM
attack.
There are mitigation techniques such as RA Guard.
People Icon: Occupations set 5 Copyright Fredy Sujono
DHCPv6 (Dynamic Host

Configuration Protocol for IPv6)
DHCPv6
Global Unicast
Manual
Dynamic
Stateless
Static
IPv6
unnumbered
Similar to IPv4 unnumbered
Static + EUI 64
Stateful
SLAAC
DHCPv6
SLAAC +
DHCPv6
DHCPv6-PD
Obtaining an IPv6 Address Automatically
Stateless DHCPv6
RA Message

DHCPv6
DHCPv6 Server

RA
RA

RA Message Options
ICMPv6
ICMPv6 Router
Advertisement
Option
Option 1,
1, 2,
2, or
or 3
3
Option
Other Configuration
(O) Flag
DHCPv6
Server
(M) Flag



Router as a Stateless DHCPv6 Server

ICMPv6
ICMPv6 Router
Router Solicitation
Solicitation
IPv6 Router &
DHCPv6 Server
Note: Domain name and DNS

server list may be included if
router (and end system) support
RFC 6106 IPv6 RA Options for
DNS Configuration.
Stateless
DHCP
Server
ICMPv6
ICMPv6 Router
Advertisement
Option 2: Stateless DHCPv6
O Flag = 1, M Flag = 0
Stateless
DHCPv6
I created my own address

(Stateless),
and have the default
gateway, but I need a
DNS address
Setting the Other Configuration Flag

G 0/0
ICMPv6
ICMPv6 Router
Advertisement
Option 2: Stateless DHCPv6


Router(config-if)# ipv6 nd other-config-flag
SLAAC for Addressing & DNS for Other Information

MAC: 00-19-D2-8C-E0-4C
2001:DB8:CAFE:1::/64
RA Message: Stateless DHCPv6

To:
1
2

RA
Prefix-length: /64
Prefix-length: /64
Other Configuration Flag: 1

2001:DB8:CAFE:1:6909:cb1c:36a0:a595
Stateless DHCPv6 Server
DHCPv6
For DNS
EUI-64 Process or
Random 64-bit value
Stateless DHCPv6 Configuration
Configuring Router as a Stateless DHCPv6 Server

DNS Server
2001:DB8:CAFE:9::99
G0/0
:1
2001:DB8:CAFE:1/64
RA
RA
O
O=
=1
1
DHCPv6
Router(config)#ipv6unicastrouting
Router(config)#ipv6dhcppoolIPV6STATELESS
Router(configdhcpv6)#dnsserver2001:DB8:CAFE:9::99
Router(configdhcpv6)#domainnamewww.example.com
Router(config)#interfaceGigabitEthernet0/0
Router(configif)#ipv6address2001:DB8:CAFE:1::1/64
Router(configif)#ipv6addressFE80::1linklocal
Router(configif)#ipv6ndotherconfigflag
Router(configif)#ipv6dhcpserverIPV6STATELESS
Verifying Stateless DHCPv6 Server Configuration

DNS Server
2001:DB8:CAFE:9::99
G0/0
:1
2001:DB8:CAFE:1/64
RA
RA
O
O=
=1
1
DHCPv6
PC>ipconfig/all
PhysicalAddress....:00219B880E40
Random 64 bits
IPv6Address......:2001:db8:cafe:1:6909:cb1c:36a0:a595
DefaultGateway....:fe80::1
DNSServers......:2001:db8:cafe:9::99
ConnectionspecificDNSSuffixSearchList:www.example.com
Verifying Stateless DHCPv6 Server Configuration

DNS Server
2001:DB8:CAFE:9::99
G0/0
:1
2001:DB8:CAFE:1/64
RA
RA
O
O=
=1
1
DHCPv6
Router#showipv6interfacegigabitethernet0/0
GigabitEthernet0/0isup,lineprotocolisup
IPv6isenabled,linklocaladdressisFE80::1
Globalunicastaddress(es):
2001:DB8:CAFE:1::1,subnetis2001:DB8:CAFE:1::/64
<Outputomitted>
Hostsusestatelessautoconfigforaddresses.
HostsuseDHCPtoobtainotherconfiguration.
Router#
Stateful DHCPv6
RA Message

DHCPv6
DHCPv6 Server

RA
RA

RA Message Options
ICMPv6
ICMPv6 Router
Advertisement
Option
Option 1,
1, 2,
2, or
or 3
3
Option
Other Configuration
(O) Flag
DHCPv6
Server
(M) Flag



Router as a Stateful DHCPv6 Server

ICMPv6
ICMPv6 Router
Router Solicitation
Solicitation
IPv6 Router &
DHCPv6 Server
ICMPv6
ICMPv6 Router
Advertisement
Stateful
DHCP Server
Option 3: Stateful DHCPv6

Stateless
DHCPv6
Im only using the default

gateway address from the
RA. I need to contact a
stateful DHCPv6 server
for all my addressing.
Option 3 and the A Flag

G 0/1
As a Windows host I will still

use the RA prefix to create
temporary (SLAAC) addresses)
ICMPv6
ICMPv6 RA
RA
M
M Flag
Flag =
=1
1
A
A Flag
Flag =
=1
10
DHCPv6
DHCPv6 Server
Option
Option 3: All addressing

except
default gateway
The autonomous
use DHCPv6
Managed
Configuration
(M) Flag
Address
Autoconfiguration
(A) Flag
1 (default)
Prefix in RA can
be used for
SLAAC
Yes
address configuration (A) flag tells hosts that

they can create an address for themselves by combining the prefix
Option 3: All addressing
1
0
No
in the RA with an interface identifier.
except default gateway
use DHCPv6
Setting the Managed Configuration Flag

G 0/1
ICMPv6
ICMPv6 Router
Router
Advertisement
Advertisement
DHCPv6
DHCPv
6
Server
Option 3 Stateful DHCPv6


Router(config-if)# ipv6 nd managed-config-flag
Stateful DHCPv6 without SLAAC

G 0/1
ICMPv6
ICMPv6 Router
Router
Advertisement
Advertisement

DHCPv6
Option 3 Stateful DHCPv6

No SLAAC: A Flag = 0
DHCPv
6
Server

Router(config-if)# ipv6 nd managed-config-flag
Router(config-if)# ipv6 nd prefix prefix/length no-autoconfig
no-autoconfig (Optional) Indicates to hosts on the local link that the specified
prefix cannot be used for IPv6 autoconfiguration (SLAAC).
The prefix will be advertised with the A-bit clear (autonomous addressconfiguration flag).
Stateful DHCPv6

2001:DB8:CAFE:2::/64
RA Message: Stateful DHCPv6

To:
1
2

RA

Global Unicast Address: DHCPv6
Prefix-length: /64
Managed Configuration Flag: 1
Autonomous Address Flag: 0
DHCPv6
Stateful DHCPv6 Server
Stateful DHCPv6 Configuration
Configuring Router as a Stateful DHCPv6 Server

DNS Server
2001:DB8:CAFE:9::99
G0/1
:1
2001:DB8:CAFE:2/64
RA
RA
M
=1
Router(config)#ipv6unicastroutingM = 1
DHCPv6
Can be a /64
Router(config)#ipv6dhcppoolIPV6STATEFUL
Router(configdhcpv6)#addressprefix2001:DB8:CAFE:2:DEED::/80
Router(configdhcpv6)#dnsserver2001:DB8:CAFE:9::99
Router(configdhcpv6)#domainnamewww.example.com
Router(config)#interfaceGigabitEthernet0/1
Router(configif)#ipv6address2001:DB8:CAFE:2::1/64
Router(configif)#ipv6addressFE80::1linklocal
Router(configif)#ipv6ndmanagedconfigflag
Router(configif)#ipv6dhcpserverIPV6STATEFUL
Including Specific Addresses

Router(configdhcpv6)#addressprefix2001:DB8:CAFE:2:DEED::/80
2001:DB8:CAFE:2::/64
2001:DB8:CAFE:2:0:0:0:0
2001:DB8:CAFE:2:FFFF:FFFF:FFFF:FFFF
/64
Available
addresses for this
network
/80
2001:DB8:CAFE:2:DEED::/80
INCLUDED assigned
addresses will have
2001:DB8:CAFE:2:DEED:0:0:0
these 80 bits.
2001:DB8:CAFE:2:DEED:0:0:1
All other addresses
2001:DB8:CAFE:2:DEED:0:0:2...are EXCLUDED
Verifying Stateful DHCPv6 Server Configuration

DNS Server
2001:DB8:CAFE:9::99
G0/1
:1
2001:DB8:CAFE:2/64
RA
RA
M
M=
=1
1
DHCPv6
PC>ipconfig/all
PhysicalAddress....:00219B880E40
IPv6Address......:2001:db8:cafe:2:deed:2de8:cfd8:5
DefaultGateway....:fe80::1
DNSServers......:2001:db8:cafe:9::99
ConnectionspecificDNSSuffixSearchList:www.example.com
Verifying Stateful DHCPv6 Server Configuration

DNS Server
2001:DB8:CAFE:9::99
G0/1
:1
2001:DB8:CAFE:2/64
RA
RA
M
M=
=1
1
DHCPv6
Router#showipv6interfacegigabitethernet0/1
GigabitEthernet0/1isup,lineprotocolisup
IPv6isenabled,linklocaladdressisFE80::1
Globalunicastaddress(es):
2001:DB8:CAFE:2::1,subnetis2001:DB8:CAFE:2::/64
<outputomitted>
HostsuseDHCPtoobtainroutableaddresses.
Router#
DHCPv6 Prefix Delegation Process

(If there is time)
DHCPv4 and Private Addresses for the Home

NAT
NAT
ISP
DHCPv4
G0/1
Public IPv4 Address
for the interface
G0/1
HOME
DHCPv4
G0/0
Private IPv4 Address
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
ISP only has to deliver a public IPv4 address for Home router interface.
DHCPv4 and RFC 1918 private address space is used for home
network.
NAT is used for translation but has its drawbacks!
No NAT between private-public IPv6 (always in debate)
The World of IPv6 and DHCPv6-PD

Complete
Complete IPv6
IPv6 Reachability
Reachability
Delegating
Router (DR)
ISP-DR
Requesting
Router (RR)
G0/1
G0/1 HOME-RR G0/0

Global IPv6 Address
DHCPv6-PD
DHCPv6-PD REQUEST
REQUEST
2
2
1
1
Global IPv6 Address
3
3
RA
RA with
with prefix
prefix
DHCPv6-PD
DHCPv6-PD REPLY
REPLY
www.cabrillo.edu/~rgraziani/ipv6.html
Thank you and

STEAL MY STUFF!
Username = cisco
Password = perlman

IPv6 SLAAC and DHCPv6

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

IPv6 SLAAC and DHCPv6

Загружено:

Авторское право:

Доступные форматы

SLAAC and DHCPv6

IPv6 Fundamentals: A Straightforward

IPv6 Fundamentals LiveLessons: A

Introduction to SLAAC (Stateless Address Autoconfiguration)

Stateful Some server is keeping track or a record of the interaction.

Dynamic IPv6 Address Allocation

Dynamic IPv4 Address Allocation

It Begins with the RA Message

Routers versus IPv6 Routers

FF02::1 (All-IPv6 devices)

A router (not enabled as an IPv6 router):

FF02::1 (All-IPv6 devices)

Option 1 and 2: Stateless Address Autoconfiguration

Router(config)# ipv6 unicast-routing

Option 1: SLAAC No DHCPv6 (Default on Cisco routers)

Im everything you need (Prefix, Prefix-length, Default Gateway)

Option 3: All addressing except default gateway use DHCPv6

The type of Router Advertisement option

Option 1: SLAAC No DHCPv6

Option 2: SLAAC + Stateless

Option 3: All addressing except

Configuring Flags discussed in Lesson 8.

Obtaining an IPv6 Address Automatically

SLAAC: Stateless Address Autoconfiguration

SLAAC Option 1 RA Message

FF02::1 (All-IPv6 devices)

From: FE80::1 (Link-local address)

Global Unicast Address:

Randomly Generated Number

Default OS behavior can be changed.

Man in paper bag on head Copyright binik

SLAAC: EUI-64 Option

SLAAC Option 1 RA Message

FF02::1 (All-IPv6 devices)

From: FE80::1 (Link-local address)

Global Unicast Address:

Modified EUI-64 Format (Extended Unique Identifier64)

Device Identifier (24 bits)

U/L bit flipped

A 64-bit Interface ID and the EUI-64 process accommodates:

SLAAC: Random 64-bit Interface ID

Randomly Generated Number

Known instead of unknown Copyright DOC RABE Media

Man in paper bag on head Copyright binik

SLAAC: Including the DNS Server in the RA *

Router(config)# ipv6 unicast-routing

Configures a DNS server with an IPv6 address of 2001:DB8::CAFE:1::1 to be

Ensuring Unique Unicast Addresses

SLAAC is stateless, no entity (DHCPv6 server) maintaining a state addressto-device mappings.

You Are Probably Already Running IPv6

Windows Vista or later, Mac OSX, Linux already running IPv6

DHCPv6 (Dynamic Host

Obtaining an IPv6 Address Automatically

Option 1 and 2: Stateless Address Autoconfiguration

Router(config)# ipv6 unicast-routing

Option 1: SLAAC No DHCPv6 (Default on Cisco routers)

Im everything you need (Prefix, Prefix-length, Default Gateway)

Option 3: All addressing except default gateway use DHCPv6

Option 1: SLAAC No DHCPv6

Option 2: SLAAC + Stateless

Option 3: All addressing except

Router as a Stateless DHCPv6 Server