IPv6 autoconfiguration: too many cooks spoil the broth
Andrej Kobal from Astec shared a few interesting facts during the 3rd Slovenian IPv6 summit: they were deploying a pilot IPv6 subnet in a large network and wanted to retain tight control over the IPv6 address assignment (some people don’t consider random address chasing embraced by Windows the best use of their time), so they’ve decided to use DHCPv6. Bad luck: DHCPv6 can’t tell you the IPv6 address of the default router (like DHCP does). You need ICMPv6 RA (part of IPv6 Neighbor Discovery) to figure out who the router is.
If you want to protect the integrity of your network, you need to deploy SeND or RA guard as well as DHCPv6 guard on your switches. These features are not yet available on many L2 switches ... Catalyst 4500 and Catalyst 6500 are a notable exception. Catalyst 3750 also supports IPv6 port access lists.
OK, so maybe SLAAC (RFC 4862) is the way to go. Not really: you cannot pass the address of the DNS server in ICMPv6 messages unless you use the experimental extensions defined in RFC 5006, not to mention the inability to create dynamic reverse DNS mappings (which any decent DHCP server should support). Furthermore, don’t count on RFC 5006 being supported in mainstream operating systems right now (if you’re really brave you could deploy open-source freeware in your production network).
For more autoconfiguration gotchas, read the comments in this blog post.
Bottom line: to get what DHCP gives you in IPv4 world, you have to use two protocols in IPv6 world.
one would expect that 15+ years of IPv6 development would clarify and simplify those "simple tasks", but no....
Those things might work ok for some lab rats and ipv6 enthusiast, but "Janez Novak" 8-) just "wants it to work" (TM) - no installs, no configs and no manual configuration of either IP address OR rDNS server...
RFC 5006 (EXP) will probably be rewritten and put on the ztandards track (see IETF work in progress in 6man wg)
The main reason people seem to say they want to use stateful DHCPv6 is that they want to record MAC address / IPv6 address mappings for audit purposes. I think that can easily be achieved in the stateless model by having a router (or another appropriate device) notice when DAD is initially occurring, tentatively place that end-node information in the neighbor cache if it doesn't conflict with existing entries, and then have NUD generate a SNMP trap when the address is determined to be not a duplicate, and have NUD genarate another SNMP trap when the neighbor cache entry is removed. Since it would be quite simple to create audit logs of address usage in a stateless model using this method, I think DHCPv6 for addressing mostly just exists because "that's how hit works in IPv4". A shame really, it seems like the most popular criticism of IPv6 is support for the two different addressing configuration models.
I know the new RFCs are out, but yet again, why did it take 10+ years to realize the problem ... and when will we have them available in all desktop OS where they matter most?