DHCPv6+SLAAC+RA = DHCPv4

We all know that IPv6 handles host network parameter initialization a bit different than IPv4 (where we usually use DHCP), but the details could still confuse you if you’re just entering the IPv6 world.

A typical LAN-attached hosts needs its own address as well as the addresses of the default router and DNS server. DHCPv4 provides all three; in the IPv6 world you need two or three protocols as summarized in the following table

Parameter DHCPv4 DHCPv61 SLAAC2 RA3
Host address 4
Default router
DNS server 5
DNS search list 5

This is how I would set up a typical IPv6 subnet:

  • Unless you want to have tight control over host IPv6 addresses, deploy DHCPv6 servers on the routers without associated IPv6 address pools. DHCPv6 should be used just to pass the DNS information to the hosts;
  • Enable RA on all LAN interfaces. If your LAN switches support RA guard, you should enable it to prevent RA spoofing and MITM attacks. RA is enabled by default on most LAN interfaces (but check BVI, SVI and wireless interfaces).
  • Use RA RDNSS option whenever possible, making sure even broken operating systems without DHCPv6 support get IPv6 DNS information.
  • Use SLAAC with privacy extensions. RA is enabled, so SLAAC works; use of privacy extensions has to be configured on the host (it’s enabled by default on most modern operating systems).
  • Use DNS server that supports dynamic host registration. Dynamically-assigned (and frequently changing) IPv6 addresses can turn your troubleshooting efforts into a nightmare. If the IPv6 hosts register their addresses with your DNS server, you’ll have at least a fighting change.

  1. As of January 2023, DHCPv6 is still not supported on Android due to obstinate opinions of a few individuals↩︎

  2. SLAAC (RFC 2462) uses RA to get IPv6 prefix information for the local subnet. ↩︎

  3. Router Advertisements (RA) are part of ICMPv6 (RFC 4443). ↩︎

  4. While it might be desirable to retain control over IPv6 address allocation with IPv6, it’s better to use SLAAC with privacy extensions (RFC 4941), otherwise the web servers throughout the Internet can track your end-users based on their IPv6 addresses. ↩︎

  5. You might want to check whether IPv6 RA options for DNS configuration (RFC 6106) is implemented in your operating system(s)↩︎ ↩︎

7 comments:

  1. Ivan, did you try some of them in a real network?

    Our experience:
    - SLAAC works, but you dont know anything about your Clients
    -Disabled SLAAC on Routers (no prefix announcement); DHCPv6 on Windows - works well for Windows 7 Clients BUT breaks MacOS-X (timeout on firefox-browser, so no valid option)
    -Enabled SLAAC+DHCPv6: Windows Clients are now using private address for outgoing connection and not DHCPv6 address anymore... Well done, bye bye control...

    We did not found anything to change this behavior.

    regards
    Dietmar
  2. Windows by default generate random interface IDs for non-temporary autoconfigured IPv6 addresses. To change this type:

    netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
  3. Absolutely, we're running IPv6 in production for well over a year. We use SLAAC with stateless DHCPv6 (other-config) and dynamic DNS registration with Windows DNS server (so we get the reverse mappings)
  4. Dont know if this fits in here. But I'll give it a try anyways.
    I'm trying to assign a few ip v6 addresses to a single interface on Red Hat.
    I want 'N' ipv6 addresses answering on eth0 since I have multiple server instances running; each requiring its own ipv6 address.

    Is something like this doable:
    1. Option 1
    eth0:1 => autoconfig EUI-64 (since I have a single MAC address for the i/f)
    eth0:2 => autoconfig privacy extension (rfc4941)
    eth0:3 => autoconfig privacy extension (rfc4941)
    eth0:4 => autoconfig privacy extension (rfc4941)
    ...

    2. Option 2

    eth0:1 => autoconfig privacy extension (rfc4941)
    eth0:2 => autoconfig privacy extension (rfc4941)
    eth0:3 => autoconfig privacy extension (rfc4941)
    eth0:4 => autoconfig privacy extension (rfc4941)
    ...

    I'm trying yo avoid static IP.

    Thanks
  5. Ivan's approach seems to be the most practical in an enterprise setting, at least for now.
  6. Yes, i know this option. But it´s not the best idea to disable IPv6 private addressing for a roaming notebook all the time in terms of tracking and security (neverless i dont know if the system is using DHCP or SLACC address for outgoing connections)
    Some of our customer are still stuck in IPv4 operating practices. Sometimes they using fixed IP DHCP assignments together with firewall rules. I know that this practices is not the best one, but at this time i did not find any possible solution to bring such option to a IPv6 network while supporting Windows and Mac OS X clients....
  7. I would strongly suggest you use static IPv6 addresses for servers.
Add comment
Sidebar