SLAAC and DHCPv6 Rick Graziani Cabrillo College [email protected] Got IPv6?

SLAAC and DHCPv6

Rick GrazianiCabrillo College

[email protected]

Got IPv6?

©

Shameless plug:

IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58714-313-5

IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58720-457-6

STEAL MY STUFF!

Username = ciscoPassword = perlman

www.cabrillo.edu/~rgraziani/ipv6.html

©

Running Out of IPv4

• The regions with the largest populations have the lowest percentages of people connected to the Internet

Graphic from Internet World Stats, www.internetworldstats.com/stats.htm

©

When is IPv6 going to happen?

©

From Misperceptions about ARIN IPv4 Depletion (from ARIN)

©

• ISPs are running out or have run out of IPv4

• 70% of ISP transit traffic (IPv4 and IPv6) is being carried over IPv6 (Cisco Live, 2015)

• Large ISPs looking to go to IPv6 only• CGN is not a good option (breaks things)• 47% of Internet content available on IPv6• Parts of Internet going IPv6 only• ISPs, mobile feeling the wave now• Home and corporate content is next wave• US Corporate office …. Well ….

Wave hitting the ISP shores

©

CGN breaks (from RFC 6598)• Console gaming• Video streaming• Peer-to-Peer Applications• Geo-location

100.64.0.0/10

192.168.1.0/24

©

CENIC customers may be allocated space no larger than a /27 (32 usable addresses).

In all cases, utilization of 85% or greater must be demonstrated before additional space will be allocated.

©

And then there’s mobile…

• Facebook sees 20-40% (1-2 seconds) better performance because no NAT, CGN, etc.

• Facebook internally is IPv6 only

©

Comcast X1 is IPv6 Only - Comcast Voice is going IPv6 only

©

The benefits of deploying IPv6 onlyGeoff Huston (APNIC) Addressing NANOG64 (2015) (Comcast, Facebook, T-Mobile)

• 2013 – Less than 1% IPv6

• 2014 – 5%• 2015 – 20%• Why the sudden

growth?• Because operators

have had to go to IPv6• Comcast – 45% is

IPv6 for those dual stack

https://www.youtube.com/watch?v=EfjdOc41g0s

©

©

Introduction to SLAAC (Stateless Address Autoconfiguration)

©

Hey! I can do that!

Stateful vs Stateless

• Stateful – Some server is keeping track or a record of the interaction.• Stateless – No one is keeping track or a record…. But device can still make

sure theirs is unique.

DHCPv6 Server

STATEFUL: I need an IPv6 address

from someone who is keeping track of

who has what address.

I might not even be needed.

STATELESS: I will come up with my own IPv6 address…. No

one will keep track of what address I have.

©

Dynamic IPv6 Address Allocation

Global Unicast

Manual Dynamic

StaticIPv6

unnumbered

Static + EUI 64

SLAAC DHCPv6

SLAAC + DHCPv6

Stateless Stateful

DHCPv6-PD

©

DHCP Server

Dynamic IPv4 Address Allocation

DHCP Client

I need an IPv4 addressing information from a DHCP server.

Here is your IPv4 address, subnet mask,

default gateway and DNS server addresses.

©

It Begins with the RA Message

• An ICMPv6 Router Advertisement (RA) suggests to all IPv6 devices on the link how it will receive IPv6 Address Information.

• Sent periodically by an IPv6 router or…• … when the router receives a Router Solicitation message from a host.• Routers can be configured with IPv6 addresses without being an IPv6 router.

DHCPv6 Server

ICMPv6 Router Advertisement

ICMPv6 Router Solicitation

Multicast: To all IPv6 routers, I need

IPv6 address information

Multicast: To all IPv6 devices,

let me tell you how to do this …

I might not even be needed.

Router(config)# ipv6 unicast-routing

©

Routers versus IPv6 Routers

• A router (not enabled as an IPv6 router):• Configure IPv6 addresses• Member of All-IPv6 devices multicast group

• An IPv6 router:• Same as a non-IPv6 router• Member of All-IPv6 routers multicast group• Sends ICMPv6 Router Advertisement messages• Can enable IPv6 routing protocols• Forward IPv6 packets (transiting the router)

Router IPv6 Router

2001:DB8:CAFE:1::1/64FE80::1

2001:DB8:CAFE:1::1/64FE80::1

FF02::1 (All-IPv6 devices) FF02::1 (All-IPv6 devices)FF02::2 (All-IPv6 routers)


Forward IPv6 Packets

RIPng OSPFv3 EIGRP for IPv6


©

Router Advertisement: 3 Options

DHCPv6 Server

RA


Option 1: SLAAC – No DHCPv6 (Default on Cisco routers)

“I’m everything you need (Prefix, Prefix-length, Default Gateway)”

Option 2: SLAAC + Stateless DHCPv6 for DNS address

“Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA)

Option 3: All addressing except default gateway use DHCPv6

“I can’t help you. Ask a DHCPv6 server for all your information.”

DHCPv6

Option 1 and 2: Stateless Address Autoconfiguration• DHCPv6 Server does not maintain state of addressesOption 3: Stateful Address Configuration• Address received from DHCPv6 Server

©

RA Message Options

DHCPv6 Server

ICMPv6 Router AdvertisementOption 1, 2, or 3

Option Other Configuration (“O”) Flag

Managed Configuration (“M”) Flag


0 0


1 0


0 1

• Configuring Flags discussed in Lesson 8.

The type of Router Advertisement option depends on two RA flags:

©

Obtaining an IPv6 Address Automatically

©

Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration.

SLAAC Option 1 – RA Message

To: FF02::1 (All-IPv6 devices)

From: FE80::1 (Link-local address)

Prefix: 2001:DB8:CAFE:1::

Prefix-length: /64

RA

1

MAC: 00-19-D2-8C-E0-4C


Prefix-length: /64

Default Gateway: FE80::1

Global Unicast Address:

2001:DB8:CAFE:1: + Interface ID

2001:DB8:CAFE:1::/64

EUI-64 Process or Random 64-bit value

2

DHCPv6 Server

3

SLAAC: Stateless Address Autoconfiguration

©

SLAAC: Interface ID

Global Routing Prefix 64-bit Interface ID16-bit Subnet ID

/64/48

EUI-64 Process Randomly Generated Number(Privacy Extension)

SLAACOperating System

EUI-64 Random 64-bit

Windows XP, Server 2003 ✔Windows Vista and newer ✔MAC OSX ✔Linux ✔

DHCPv6 Server

Default OS behavior can be changed.

Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik

©

Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration.

SLAAC Option 1 – RA Message




Prefix-length: /64

RA

1

MAC: 00-19-D2-8C-E0-4C


Prefix-length: /64




2001:DB8:CAFE:1::/64


2

DHCPv6 Server

3

SLAAC: EUI-64 Option

©

Modified EUI-64 Format (Extended Unique Identifier–64)

00 19 D2 8C E0 4C

OUI (24 bits) Device Identifier (24 bits)

00 19 D2 8C E0 4CFF FE

19 D2 8C E0 4CFF FE0000 000000

U/L bit flipped

0000 0010

02 19 D2 8C E0 4CFF FE

Insert FF-FE

©

PC> ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection: IPv6 Address. . . . . . . . : 2001:db8:cafe:1:0219:d2ff:fe8c:e04c Link-local IPv6 Address . . : fe80::0219:d2ff:fe8c:e04c Default Gateway . . . . . : fe80::1

Router Advertisement EUI-64

A 64-bit Interface ID and the EUI-64 process accommodates:• The IEEE specification for a 64-bit MAC address• 64-bit boundary processing

Verifying SLAAC on the PC Using

EUI-64

Why. The Dude looking at the red question mark © Copyright jojje11

©

SLAAC: Random 64-bit Interface ID

Global Routing Prefix 64-bit Interface ID16-bit Subnet ID

/64/48

EUI-64 Process Randomly Generated Number(Privacy Extension)

SLAACOperating System

EUI-64 Random 64-bit

Windows XP, Server 2003 ✔Windows Vista and newer ✔MAC OSX ✔Linux ✔

DHCPv6 Server

Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik

©

PC-Windows7> ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection: IPv6 Address. . . . . . . . : 2001:db8:cafe:1:50a5:8a35:a5bb:66e1 Link-local IPv6 Address . . : fe80::50a5:8a35:a5bb:66e1 Default Gateway . . . . . : fe80::1

Router Advertisement EUI-64

Verifying SLAAC on the PC Using

Privacy Extension

No FF-FE

©

SLAAC: Including the DNS Server in the RA *

DNS Server


ICMPv6 Router Advertisement• Prefix and other information

G0/12001:DB8:CAFE:1::/64

Router(config)# ipv6 unicast-routingRouter(config)# interface gigabitethernet 0/1Router(config-if)# ipv6 nd ra dns server 2001:db8:cafe:1::99 600

2001:DB8:CAFE:1::99

Configures a DNS server with an IPv6 address of 2001:DB8::CAFE:1::1 to be advertised in an RA with a lifetime of 600 seconds.

©

Global Unicast - 2001:db8:cafe:1:50a5:8a35:a5bb:66e1Link-local - fe80::50a5:8a35:a5bb:66e1

Neighbor Advertisement?

Neighbor Solicitation

Ensuring Unique Unicast Addresses

Not received = unique addressReceived = duplicate address

• SLAAC is stateless, no entity (DHCPv6 server) maintaining a state address-to-device mappings.

• How can we guarantee the address is unique?• Duplicate Address Detection (DAD)

• Once required for all unicast addresses (static or dynamic), RFC was updated that DAD is only recommended.

• /64 Interface IDs!

©

You Are Probably Already Running IPv6

• Windows Vista or later, Mac OSX, Linux already running IPv6• Potential DoS or MITM attack, even if the router is not IPv6 enabled.• Even if the router is not IPv6 enabled, your clients are mostly like are!• I can still do a DoS attack on clients or perhaps even still to a MITM

attack.• There are mitigation techniques such as RA Guard.

R1

Rogue RA

RSIPv4IPv6IPv4

IPv6

IPv4IPv6

I need an IPv6 prefix

Here is an IPv6 prefix

and gateway

People Icon: Occupations set 5 © Copyright Fredy Sujono

DHCPv6 (Dynamic Host Configuration Protocol for IPv6)

©

DHCPv6

Global Unicast

Manual Dynamic

StaticIPv6

unnumbered

Static + EUI 64

SLAAC DHCPv6

SLAAC + DHCPv6

Similar to IPv4 unnumbered

Stateless Stateful

DHCPv6-PD

©

Obtaining an IPv6 Address Automatically

Stateless DHCPv6

©

RA Message

DHCPv6 Server

RA








DHCPv6


©

RA Message Options

DHCPv6 Server





0 0


1 0


0 1

©

Setting the Other Configuration Flag


• Option 2: Stateless DHCPv6• O Flag = 1, M Flag = 0

Router(config)# interface gigabitethernet 0/0Router(config-if)# ipv6 nd other-config-flag

G 0/0

©

RA Message: Stateless DHCPv6




Prefix-length: /64

Other Configuration Flag: 1

RA

1

MAC: 00-19-D2-8C-E0-4C


Prefix-length: /64




2001:DB8:CAFE:1::/64


2

Stateless DHCPv6 Server3

SLAAC for Addressing & DNS for Other Information

2001:DB8:CAFE:1:6909:cb1c:36a0:a595DHCPv6For DNS

Stateless DHCPv6 Configuration

©


Router(config)# ipv6 dhcp pool IPV6-STATELESSRouter(config-dhcpv6)# dns-server 2001:DB8:CAFE:9::99Router(config-dhcpv6)# domain-name www.example.com

Router(config)# interface GigabitEthernet 0/0Router(config-if)# ipv6 address 2001:DB8:CAFE:1::1/64Router(config-if)# ipv6 address FE80::1 link-localRouter(config-if)# ipv6 nd other-config-flagRouter(config-if)# ipv6 dhcp server IPV6-STATELESS

Configuring Router as a Stateless DHCPv6 Server2001:DB8:CAFE:1/64G0/0

:1DNS Server

2001:DB8:CAFE:9::99 RAO = 1

DHCPv6

©

PC> ipconfig /all

Physical Address. . . .: 00-21-9B-88-0E-40 IPv6 Address. . . . . .: 2001:db8:cafe:1:6909:cb1c:36a0:a595 Default Gateway . . . .: fe80::1 DNS Servers . . . . . .: 2001:db8:cafe:9::99 Connection-specific DNS Suffix Search List: www.example.com

2001:DB8:CAFE:1/64G0/0:1

DNS Server

2001:DB8:CAFE:9::99 RAO = 1

DHCPv6

Verifying Stateless DHCPv6 Server Configuration

Random 64 bits

©

Router# show ipv6 interface gigabitethernet 0/0GigabitEthernet 0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 <Output omitted> Hosts use stateless autoconfig for addresses. Hosts use DHCP to obtain other configuration.Router#

2001:DB8:CAFE:1/64G0/0:1

DNS Server

2001:DB8:CAFE:9::99 RAO = 1

DHCPv6

Verifying Stateless DHCPv6 Server Configuration

Stateful DHCPv6

©

RA Message

DHCPv6 Server

RA








DHCPv6


©

RA Message Options

DHCPv6 Server





0 0


1 0


0 1

©

Option 3 and the “A” Flag

Option Managed Configuration (“M”) Flag

Address Autoconfiguration (“A”) Flag

Prefix in RA can be used for SLAAC


1 1 (default) Yes


1 0 No

ICMPv6 RAM Flag = 1A Flag = 1

G 0/1

DHCPv6

DHCPv6 Server

As a Windows host I will still use the RA prefix to create

temporary (SLAAC) addresses)

0

The autonomous address configuration (A) flag tells hosts that they can create an address for themselves by combining the prefix in the RA with an interface identifier.

©

Setting the Managed Configuration Flag


• Option 3 Stateful DHCPv6 • O Flag = 0, M Flag = 1

Router(config)# interface gigabitethernet 0/1Router(config-if)# ipv6 nd managed-config-flag

G 0/1

DHCPv6

DHCPv6 Server

©

Stateful DHCPv6 without SLAAC


• Option 3 Stateful DHCPv6 • O Flag = 0, M Flag = 1• No SLAAC: A Flag = 0

Router(config)# interface gigabitethernet 0/1Router(config-if)# ipv6 nd managed-config-flagRouter(config-if)# ipv6 nd prefix prefix/length no-autoconfig

G 0/1

DHCPv6

DHCPv6 Server

• no-autoconfig (Optional) Indicates to hosts on the local link that the specified prefix cannot be used for IPv6 autoconfiguration (SLAAC).

• The prefix will be advertised with the A-bit clear (autonomous address-configuration flag).



©

RA Message: Stateful DHCPv6




Prefix-length: /64

Managed Configuration Flag: 1

Autonomous Address Flag: 0

RA

1


Global Unicast Address: DHCPv6

2001:DB8:CAFE:2::/64

2

Stateful DHCPv6 Server

Stateful DHCPv6

DHCPv6



Stateful DHCPv6 Configuration

©


Router(config)# ipv6 dhcp pool IPV6-STATEFULRouter(config-dhcpv6)# address prefix 2001:DB8:CAFE:2:DEED::/80Router(config-dhcpv6)# dns-server 2001:DB8:CAFE:9::99Router(config-dhcpv6)# domain-name www.example.com

Router(config)# interface GigabitEthernet 0/1Router(config-if)# ipv6 address 2001:DB8:CAFE:2::1/64Router(config-if)# ipv6 address FE80::1 link-localRouter(config-if)# ipv6 nd managed-config-flagRouter(config-if)# ipv6 dhcp server IPV6-STATEFUL

Configuring Router as a Stateful DHCPv6 Server2001:DB8:CAFE:2/64G0/1

:1DNS Server

2001:DB8:CAFE:9::99 RAM = 1

DHCPv6

Can be a /64

©

Including Specific Addresses

2001:DB8:CAFE:2::/642001:DB8:CAFE:2:0:0:0:02001:DB8:CAFE:2:FFFF:FFFF:FFFF:FFFF

2001:DB8:CAFE:2:DEED::/802001:DB8:CAFE:2:DEED:0:0:02001:DB8:CAFE:2:DEED:0:0:12001:DB8:CAFE:2:DEED:0:0:2 . . .

/64 /80

INCLUDED assigned addresses will have these 80 bits.

Available addresses for this network

Router(config-dhcpv6)# address prefix 2001:DB8:CAFE:2:DEED::/80

All other addresses are EXCLUDED

©

PC> ipconfig /all

Physical Address. . . .: 00-21-9B-88-0E-40 IPv6 Address. . . . . .: 2001:db8:cafe:2:deed:2de8:cfd8:5 Default Gateway . . . .: fe80::1 DNS Servers . . . . . .: 2001:db8:cafe:9::99 Connection-specific DNS Suffix Search List: www.example.com

2001:DB8:CAFE:2/64G0/1:1

DNS Server

2001:DB8:CAFE:9::99 RAM = 1

DHCPv6

Verifying Stateful DHCPv6 Server Configuration

©

Router# show ipv6 interface gigabitethernet 0/1GigabitEthernet 0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:2::1, subnet is 2001:DB8:CAFE:2::/64 <output omitted> Hosts use DHCP to obtain routable addresses.Router#

2001:DB8:CAFE:2/64G0/1:1

DNS Server

2001:DB8:CAFE:9::99 RAM = 1

DHCPv6

Verifying Stateful DHCPv6 Server Configuration

DHCPv6 Prefix Delegation Process(If there is time)

©

DHCPv4 and Private Addresses for the Home

• ISP only has to deliver a public IPv4 address for Home router interface.• DHCPv4 and RFC 1918 private address space is used for home

network.• NAT is used for translation – but has its drawbacks!• No NAT between private-public IPv6 (always in debate)

ISP HOME

Public IPv4 Addressfor the interface

G0/1 G0/1

10.0.0.0/8172.16.0.0/12192.168.0.0/16

G0/0

Private IPv4 Address

NAT

DHCPv4 DHCPv4

©

The World of IPv6 and DHCPv6-PD

ISP-DR HOME-RRG0/1 G0/1 G0/0

Delegating Router (DR)

Requesting Router (RR)

Global IPv6 Address Global IPv6 Address

Complete IPv6 Reachability

DHCPv6-PD REQUEST

DHCPv6-PD REPLY

1

2

RA with prefix3

©

Thank you and STEAL MY STUFF!

Username = ciscoPassword = perlman

www.cabrillo.edu/~rgraziani/ipv6.html

Documents

SLAAC and DHCPv6 Rick Graziani Cabrillo College [email protected] Got IPv6?