DHCPv6+SLAAC+RA = DHCPv4

We all know that IPv6 handles host network parameter initialization a bit different than IPv4 (where we usually use DHCP), but the details could still confuse you if you’re just entering the IPv6 world.

LAN-attached hosts first: a typical host needs its own address as well as the addresses of the default router and DNS server. DHCPv4 provides all three; in the IPv6 world you need two or three protocols as summarized in the following table

Parameter DHCPv4 DHCPv6 SLAAC1 RA2
Host address Yes Yes3 Yes
Default router Yes No Yes
DNS server Yes Yes Yes4
DNS search list Yes Yes Yes4

Notes:

  1. SLAAC (RFC 2462) uses RA to get IPv6 prefix information for the local subnet.
  2. Router Advertisements (RA) are part of ICMPv6 (RFC 4443).
  3. While it might be desirable to retain control over IPv6 address allocation with IPv6, it’s better to use SLAAC with privacy extensions (RFC 4941), otherwise the web servers throughout the Internet can track your end-users based on their IPv6 addresses.
  4. IPv6 RA options for DNS configuration (RFC 6106) is rarely implemented in desktop operating systems.

In my opinion it makes most sense to:

  • Deploy DHCPv6 servers on the routers without associated IPv6 address pools. DHCPv6 should be used just to pass the DNS information to the hosts;
  • Enable RA on all LAN interfaces. If your LAN switches support RA guard, you should enable it to prevent RA spoofing and MITM attacks. RA is enabled by default on most LAN interfaces (but check BVI, SVI and wireless interfaces).
  • Use SLAAC with privacy extensions. RA is enabled, so SLAAC works; use of privacy extensions has to be configured on the host.
  • Use DNS server that supports dynamic host registration. Dynamically-assigned (and frequently changing) IPv6 addresses can turn your troubleshooting efforts into a nightmare. If the IPv6 hosts register their addresses with your DNS server, you’ll have at least a fighting change.

More information

Various IPv6 access interface configurations are described in my Building IPv6 Service Provider Core webinar (buy the recording or register for an online session); if you’re an enterprise engineers running a decently large network, you’ll find it useful despite its title.

Entry-level information for enterprise engineers considering IPv6 deployment in their networks is summarized in my Enterprise IPv6 – the first steps webinar (buy the recording or register for an online session).

Both webinars are also available as part of the yearly subscription package.

7 comments:

  1. Ivan, did you try some of them in a real network?

    Our experience:
    - SLAAC works, but you dont know anything about your Clients
    -Disabled SLAAC on Routers (no prefix announcement); DHCPv6 on Windows - works well for Windows 7 Clients BUT breaks MacOS-X (timeout on firefox-browser, so no valid option)
    -Enabled SLAAC+DHCPv6: Windows Clients are now using private address for outgoing connection and not DHCPv6 address anymore... Well done, bye bye control...

    We did not found anything to change this behavior.

    regards
    Dietmar

    ReplyDelete
  2. Windows by default generate random interface IDs for non-temporary autoconfigured IPv6 addresses. To change this type:

    netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

    ReplyDelete
  3. Absolutely, we're running IPv6 in production for well over a year. We use SLAAC with stateless DHCPv6 (other-config) and dynamic DNS registration with Windows DNS server (so we get the reverse mappings)

    ReplyDelete
  4. Dont know if this fits in here. But I'll give it a try anyways.
    I'm trying to assign a few ip v6 addresses to a single interface on Red Hat.
    I want 'N' ipv6 addresses answering on eth0 since I have multiple server instances running; each requiring its own ipv6 address.

    Is something like this doable:
    1. Option 1
    eth0:1 => autoconfig EUI-64 (since I have a single MAC address for the i/f)
    eth0:2 => autoconfig privacy extension (rfc4941)
    eth0:3 => autoconfig privacy extension (rfc4941)
    eth0:4 => autoconfig privacy extension (rfc4941)
    ...

    2. Option 2

    eth0:1 => autoconfig privacy extension (rfc4941)
    eth0:2 => autoconfig privacy extension (rfc4941)
    eth0:3 => autoconfig privacy extension (rfc4941)
    eth0:4 => autoconfig privacy extension (rfc4941)
    ...

    I'm trying yo avoid static IP.

    Thanks

    ReplyDelete
  5. Ivan's approach seems to be the most practical in an enterprise setting, at least for now.

    ReplyDelete
  6. Yes, i know this option. But it´s not the best idea to disable IPv6 private addressing for a roaming notebook all the time in terms of tracking and security (neverless i dont know if the system is using DHCP or SLACC address for outgoing connections)
    Some of our customer are still stuck in IPv4 operating practices. Sometimes they using fixed IP DHCP assignments together with firewall rules. I know that this practices is not the best one, but at this time i did not find any possible solution to bring such option to a IPv6 network while supporting Windows and Mac OS X clients....

    ReplyDelete
  7. I would strongly suggest you use static IPv6 addresses for servers.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.