Presentation is loading. Please wait.

Presentation is loading. Please wait.

SLAAC and DHCPv6 Got IPv6? Rick Graziani Cabrillo College

Published byCharla Miles Modified over 8 years ago

Similar presentations

Presentation on theme: "SLAAC and DHCPv6 Got IPv6? Rick Graziani Cabrillo College"— Presentation transcript:

1 SLAAC and DHCPv6 Got IPv6? Rick Graziani Cabrillo College
Got IPv6?

2 STEAL MY STUFF! www.cabrillo.edu/~rgraziani/ipv6.html Shameless plug:
Username = cisco Password = perlman Shameless plug: IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6 By Rick Graziani ISBN-10: IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6 By Rick Graziani ISBN-10:

3 Running Out of IPv4 The regions with the largest populations have the lowest percentages of people connected to the Internet Graphic from Internet World Stats,

4 When is IPv6 going to happen?

5 From Misperceptions about ARIN IPv4 Depletion (from ARIN)

6 Wave hitting the ISP shores
ISPs are running out or have run out of IPv4 70% of ISP transit traffic (IPv4 and IPv6) is being carried over IPv6 (Cisco Live, 2015) Large ISPs looking to go to IPv6 only CGN is not a good option (breaks things) 47% of Internet content available on IPv6 Parts of Internet going IPv6 only ISPs, mobile feeling the wave now Home and corporate content is next wave US Corporate office …. Well …. Wave hitting the ISP shores

7 192.168.1.0/24 100.64.0.0/10 CGN breaks (from RFC 6598) Console gaming
Video streaming Peer-to-Peer Applications Geo-location

8 CENIC customers may be allocated space no larger than a /27 (32 usable addresses).
In all cases, utilization of 85% or greater must be demonstrated before additional space will be allocated.

9 And then there’s mobile…
Facebook sees 20-40% (1-2 seconds) better performance because no NAT, CGN, etc. Facebook internally is IPv6 only 464XLAT allows IPv4 apps to talk to IPv4 servers over IPv6 networks by having the phone translate the application's network requests from IPv4 to IPv6. Then, at the edge of the IPv6 network, a NAT64 device translates the IPv6 packets back to IPv4 and sends them on their way to the server.

10 Comcast X1 is IPv6 Only - Comcast Voice is going IPv6 only

11 The benefits of deploying IPv6 only
Geoff Huston (APNIC) Addressing NANOG64 (2015) (Comcast, Facebook, T-Mobile) 2013 – Less than 1% IPv6 2014 – 5% 2015 – 20% Why the sudden growth? Because operators have had to go to IPv6 Comcast – 45% is IPv6 for those dual stack

12

13

14 Introduction to SLAAC (Stateless Address Autoconfiguration)

15 I might not even be needed. 
Stateful vs Stateless DHCPv6 Server STATEFUL: I need an IPv6 address from someone who is keeping track of who has what address. STATELESS: I will come up with my own IPv6 address…. No one will keep track of what address I have. I might not even be needed.  Hey! I can do that!  Stateful – Some server is keeping track or a record of the interaction. Stateless – No one is keeping track or a record…. But device can still make sure theirs is unique.

16 Dynamic IPv6 Address Allocation
Global Unicast Manual Dynamic Stateless Stateful Static IPv6 unnumbered SLAAC DHCPv6 Static + EUI 64 SLAAC + DHCPv6 DHCPv6-PD

17 Dynamic IPv4 Address Allocation
I need an IPv4 addressing information from a DHCP server. DHCP Server DHCP Client Here is your IPv4 address, subnet mask, default gateway and DNS server addresses.

18 It Begins with the RA Message
Multicast: To all IPv6 routers, I need IPv6 address information Router(config)# ipv6 unicast-routing ICMPv6 Router Advertisement ICMPv6 Router Solicitation DHCPv6 Server Multicast: To all IPv6 devices, let me tell you how to do this … I might not even be needed.  An ICMPv6 Router Advertisement (RA) suggests to all IPv6 devices on the link how it will receive IPv6 Address Information. Sent periodically by an IPv6 router or… … when the router receives a Router Solicitation message from a host. Routers can be configured with IPv6 addresses without being an IPv6 router.

19 Routers versus IPv6 Routers ICMPv6 Router Advertisement
Router(config)# ipv6 unicast-routing 2001:DB8:CAFE:1::1/64 FE80::1 2001:DB8:CAFE:1::1/64 FE80::1 Router FF02::1 (All-IPv6 devices) IPv6 Router FF02::1 (All-IPv6 devices) FF02::2 (All-IPv6 routers) ICMPv6 Router Advertisement A router (not enabled as an IPv6 router): Configure IPv6 addresses Member of All-IPv6 devices multicast group An IPv6 router: Same as a non-IPv6 router Member of All-IPv6 routers multicast group Sends ICMPv6 Router Advertisement messages Can enable IPv6 routing protocols Forward IPv6 packets (transiting the router) RIPng OSPFv3 EIGRP for IPv6 Forward IPv6 Packets Documentation states that only an IPv6 router can forward IPv6 packets, however IOS does allow you to configure IPv6 static routes and it forwards IPv6 packets using those routes.

20 Router Advertisement: 3 Options
Option 1 and 2: Stateless Address Autoconfiguration DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration Address received from DHCPv6 Server DHCPv6 Router(config)# ipv6 unicast-routing DHCPv6 Server Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA) Option 3: All addressing except default gateway use DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” RA Option 1 technically isn’t everything as there’s no DNS server or domain name info (RFC 6106). Need both the router to support the sending of the info and the end system to know what to do w/ it. For option 3, you still need to control the SLAAC process w/ the RA’s (e.g. how the prefix in the RA should be used) otherwise the end system will end up a DHCP and SLAAC address

21 SLAAC: Stateless Address Autoconfiguration
Router(config)# ipv6 unicast-routing 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement Prefix and other information DHCPv6 Server SLAAC (Stateless Address Autoconfiguration) Allows a device to create its own IPv6 global unicast address without the services of a DHCPv6 server. Prefix: From the Router Advertisement (RA). Interface ID: EUI-64 Random 64-bit value I know the network prefix from the RA. I just need to come up with my own Interface ID for my GUA!

22 Ignoring the RA Message?
Link-local address ICMPv6 Router Advertisement DHCPv6 DHCPv6 Server The ICMPv6 Router Advertisement suggests to the host how to get its address automatically. Can a host ignore an ICMPv6 Router Advertisement? Host operating systems can include the option of ignoring the Router Advertisement from the router and only use the stateful services of a DHCPv6 server (or what ever it wants to do). However, hosts can’t ignore the default gateway (source of RA) unless manually configured.

23 ICMPv6 Router Advertisement
RA Message Options ICMPv6 Router Advertisement Option 1, 2, or 3 DHCPv6 Server The type of Router Advertisement option depends on two RA flags: Option Other Configuration (“O”) Flag Managed Configuration (“M”) Flag Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) Option 2: SLAAC + Stateless DHCPv6 for DNS address 1 Option 3: All addressing except default gateway use DHCPv6 Configuring Flags discussed in Lesson 8.

24 Obtaining an IPv6 Address Automatically

25 SLAAC: Stateless Address Autoconfiguration
2001:DB8:CAFE:1::/64 MAC: D2-8C-E0-4C 1 SLAAC Option 1 – RA Message To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 2 RA Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Default Gateway: FE80::1 Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. 3 EUI-64 Process or Random 64-bit value ipv6 nd ra dns-suffix ipv6.vmwcs.com To configure the IPv6 router advertisement of DNS server addresses on an interface, use the ipv6 nd ra dns server command in interface configuration mode. To remove the IPv6 router advertisement of DNS server addresses, use the no form of this command. ipv6 nd ra dns server ipv6-address seconds no ipv6 nd ra dns server ipv6-address Syntax Description seconds The amount of time (in seconds) that the Domain Naming System (DNS) server is advertised in an IPv6 router advertisement (RA). The range is from 200 to Command Default The DNS server is not advertised in an IPv6 RA. Command Modes Interface configuration (config-if) Command History Release Modification Cisco IOS XE Release 3.9S This command was introduced. Usage Guidelines You can use the ipv6 nd ra dns server command to configure up to eight DNS server addresses in an RA. If you configure a seconds value of zero, the DNS server will no longer be used. Examples The following example configures a DNS server with an IPv6 address of 2001:DB8:1::1 to be advertised in an RA with a lifetime of 600 seconds: Router(config)# interface ethernet 0/0 Router(config-if)# ipv6 nd ra dns server 2001:DB8:1::1 600 DHCPv6 Server

26 SLAAC: Interface ID ✔ DHCPv6 Server /48 /64 16-bit Subnet ID
Global Routing Prefix 64-bit Interface ID Operating System EUI-64 Random 64-bit Windows XP, Server 2003 Windows Vista and newer MAC OSX Linux SLAAC EUI-64 Process Randomly Generated Number (Privacy Extension) Check your OS for the default…. Most operating systems provide options to use use either one. Cisco router configured as a client will use EUI-64. More on the router as a client in Lesson 8 when we discuss SLAAC and DHCPv6. Default OS behavior can be changed. Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik

27 SLAAC: EUI-64 Option 1 2 RA 3 MAC: 00-19-D2-8C-E0-4C
2001:DB8:CAFE:1::/64 MAC: D2-8C-E0-4C 1 SLAAC Option 1 – RA Message To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 2 RA Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Default Gateway: FE80::1 Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. 3 EUI-64 Process or Random 64-bit value As of now Cisco only supports DNS server advertisement not domain name on IOS XE. To configure the IPv6 router advertisement of DNS server addresses on an interface, use the ipv6 nd ra dns server command in interface configuration mode. To remove the IPv6 router advertisement of DNS server addresses, use the no form of this command. ipv6 nd ra dns server ipv6-address seconds no ipv6 nd ra dns server ipv6-address Syntax Description seconds The amount of time (in seconds) that the Domain Naming System (DNS) server is advertised in an IPv6 router advertisement (RA). The range is from 200 to Command Default The DNS server is not advertised in an IPv6 RA. Command Modes Interface configuration (config-if) Command History Release Modification Cisco IOS XE Release 3.9S This command was introduced. Usage Guidelines You can use the ipv6 nd ra dns server command to configure up to eight DNS server addresses in an RA. If you configure a seconds value of zero, the DNS server will no longer be used. Examples The following example configures a DNS server with an IPv6 address of 2001:DB8:1::1 to be advertised in an RA with a lifetime of 600 seconds: Router(config)# interface ethernet 0/0 Router(config-if)# ipv6 nd ra dns server 2001:DB8:1::1 600 DHCPv6 Server

28 Modified EUI-64 Format (Extended Unique Identifier–64)
OUI (24 bits) Device Identifier (24 bits) 00 19 D2 8C E0 4C Insert FF-FE 00 19 D2 FF FE 8C E0 4C 19 D2 FF FE 8C E0 4C 00 U/L bit flipped 02 19 D2 FF FE 8C E0 4C Insert FFFE gives us a 64 bit Interface ID IPv6 64-bit interface IDs are on a 64 bit boundary and accommodate IEEE specification for 64 bit MAC addresses IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address. IEEE's Guidelines for EUI-64 Registration Authority, Reason for U/L bit flipped can be found in RFC 4291 IP Version 6 Addressing Architecture

29 Verifying SLAAC on the PC Using EUI-64
Router Advertisement EUI-64 PC> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: IPv6 Address : 2001:db8:cafe:1:0219:d2ff:fe8c:e04c Link-local IPv6 Address . . : fe80::0219:d2ff:fe8c:e04c Default Gateway : fe80::1 A 64-bit Interface ID and the EUI-64 process accommodates: The IEEE specification for a 64-bit MAC address 64-bit boundary processing FF-FE – more than likely EUI-64 Link local address is usually the same process Default gateway – link-local address Why. The Dude looking at the red question mark © Copyright jojje11

30 SLAAC: Random 64-bit Interface ID
DHCPv6 Server /48 /64 16-bit Subnet ID Global Routing Prefix 64-bit Interface ID Operating System EUI-64 Random 64-bit Windows XP, Server 2003 Windows Vista and newer MAC OSX Linux SLAAC EUI-64 Process Randomly Generated Number (Privacy Extension) Check your OS for the default…. Most operating systems provide options to use use either one. Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik

31 Verifying SLAAC on the PC Using Privacy Extension
Router Advertisement EUI-64 PC-Windows7> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: IPv6 Address : 2001:db8:cafe:1:50a5:8a35:a5bb:66e1 Link-local IPv6 Address . . : fe80::50a5:8a35:a5bb:66e1 Default Gateway : fe80::1 No FF-FE

32 SLAAC: Including the DNS Server in the RA *
Router(config)# ipv6 unicast-routing G0/1 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement Prefix and other information DNS Server 2001:DB8:CAFE:1::99 Router(config)# ipv6 unicast-routing Router(config)# interface gigabitethernet 0/1 Router(config-if)# ipv6 nd ra dns server 2001:db8:cafe:1::99 600 Configures a DNS server with an IPv6 address of 2001:DB8::CAFE:1::1 to be advertised in an RA with a lifetime of 600 seconds.

33 Ensuring Unique Unicast Addresses
Global Unicast :db8:cafe:1:50a5:8a35:a5bb:66e1 Link-local fe80::50a5:8a35:a5bb:66e1 Neighbor Solicitation Neighbor Advertisement? Not received = unique address Received = duplicate address SLAAC is stateless, no entity (DHCPv6 server) maintaining a state address-to-device mappings. How can we guarantee the address is unique? Duplicate Address Detection (DAD) Once required for all unicast addresses (static or dynamic), RFC was updated that DAD is only recommended. /64 Interface IDs!

34 You Are Probably Already Running IPv6
RS IPv4 IPv6 IPv4 IPv6 R1 Rogue RA Here is an IPv6 prefix and gateway I need an IPv6 prefix IPv4 IPv6 Windows Vista or later, Mac OSX, Linux already running IPv6 Potential DoS or MITM attack, even if the router is not IPv6 enabled. Even if the router is not IPv6 enabled, your clients are mostly like are! I can still do a DoS attack on clients or perhaps even still to a MITM attack. There are mitigation techniques such as RA Guard. People Icon: Occupations set 5 © Copyright Fredy Sujono

35 Configuring a Router as a SLAAC Client

36 Routers versus IPv6 Routers ICMPv6 Router Advertisement
Router(config)# ipv6 unicast-routing 2001:DB8:CAFE:1::1/64 FE80::1 2001:DB8:CAFE:1::1/64 FE80::1 Router FF02::1 (All-IPv6 devices) IPv6 Router FF02::1 (All-IPv6 devices) FF02::2 (All-IPv6 routers) ICMPv6 Router Advertisement A router (not enabled as an IPv6 router): Configure IPv6 addresses Member of All-IPv6 devices multicast group An IPv6 router: Same as a non-IPv6 router Member of All-IPv6 routers multicast group Sends ICMPv6 Router Advertisement messages Can enable IPv6 routing protocols Forward IPv6 packets (transiting the router) RIPng OSPFv3 EIGRP for IPv6 Forward IPv6 Packets Documentation states that only an IPv6 router can forward IPv6 packets, however IOS does allow you to configure IPv6 static routes and it forwards IPv6 packets using those routes.

37 Configuring the Router as a Client
“IPv6 Router” Link-local address created 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement R1 Gig 0/1 Gig 0/1 Client R1(config)# interface gig 0/1 R1(config-if)# ipv6 address 2001:db8:cafe:1::1/64 R1(config-if)# ipv6 address fe80::1 link-local R1(config-if)# no shutdown R1(config-if)# exit R1(config)# ipv6 unicast-routing Now I can accept RA messages and get a GUA automatically! Client(config)# interface gig 0/1 Client(config-if)# ipv6 enable ! Not needed Client(config-if)# ipv6 address autoconfig default Client(config-if)# no shutdown Client router acting as an IPv6 client host. Ipv6 enable command – necessary to create link-local address, thus enabling it as an IPv6 interface. Remember, a device must have at least a link-local address to be an IPv6 device. Ipv6 address autoconfig – enables the router to accept and process Router Advertisements on the interface

38 Verifying the RA Message
2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement FE80::1 R1 Gig 0/1 ::1 Gig 0/1 Client R1# show ipv6 interface gigabitethernet 0/1 GigabitEthernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::FB FF02::1:FF00:1 ND router advertisements are sent every 200 seconds Hosts use stateless autoconfig for addresses. Partial output FE80::1 is the source IPv6 address of the RA

39 Verifying the Client (Router) Is Using SLAAC/EUI-64
2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement FE80::1 R1 Gig 0/1 ::1 Gig 0/1 Client Client# show ipv6 interface brief GigabitEthernet0/1 [up/up] FE80::8A5A:92FF:FE3B:29E1 2001:DB8:CAFE:1:8A5A:92FF:FE3B:29E1 <Rest of output omitted> Client# show interface gigabitethernet 0/1 GigabitEthernet0/1 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is 885a.923b.29e1 (bia 885a.923b.29e1) EUI-64 Notice the link-local address also used EUI-64

40 Router versus “IPv6 Router”
2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement FE80::1 R1 Gig 0/1 ::1 Gig 0/1 Client Client# show ipv6 route IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ND ::/0 [2/0] via FE80::1, GigabitEthernet0/1 NDp 2001:DB8:CAFE:1::/64 [2/0] via GigabitEthernet0/1, directly connected <Rest of output omitted> Partial output Default route learned via Neighbor Discovery (SLAAC) Prefix learned via Neighbor Discovery (SLAAC) Client also learned the default gateway (or default route) from R1’s RA ND FE80::1 is the source IPv6 address of the RA

41 DHCPv6 (Dynamic Host Configuration Protocol for IPv6)

42 DHCPv6 Global Unicast Manual Dynamic Static IPv6 unnumbered SLAAC
Stateless Stateful Static IPv6 unnumbered SLAAC DHCPv6 Similar to IPv4 unnumbered Static + EUI 64 SLAAC + DHCPv6 DHCPv6-PD

43 Dynamic IPv4 Address Allocation
I need an IPv4 addressing information from a DHCP server. DHCP Server DHCP Client Here is your IPv4 address, subnet mask, default gateway and DNS server addresses.

44 All Dynamic Addressing Begins with the RA Message
Multicast: To all IPv6 routers, I need IPv6 address information ICMPv6 Router Advertisement ICMPv6 Router Solicitation DHCPv6 Server Multicast: To all IPv6 devices, let me tell you how to do this … I might not even be needed.  An ICMPv6 Router Advertisement (RA) suggests to all IPv6 devices on the link how it will receive IPv6 Address Information. Sent periodically by an IPv6 router or… … when the router receives a Router Solicitation message from a host.

45 Router Advertisement: 3 Options
Option 1 and 2: Stateless Address Autoconfiguration DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration Address received from DHCPv6 Server DHCPv6 Router(config)# ipv6 unicast-routing DHCPv6 Server Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA) Option 3: All addressing except default gateway use DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” RA Option 1 mostly what you need. Still need DNS server and domain name info. Router(config-if)# ipv6 nd ra dns server 2001:DB8:1::1 600

46 ICMPv6 Router Advertisement
RA Message Options ICMPv6 Router Advertisement Option 1, 2, or 3 DHCPv6 Server The type of Router Advertisement option depends on two RA flags: Other Configuration Flag and Managed Configuration Flag Default: Both flags are set to 0 (Option 1) Use me (RA) for all your addressing information, no additional information available via DHCPv6. Other Configuration Flag when set to “1” (Option 2) Use me (RA) for your address but you need to get OTHER information from a stateless DHCPv6 server. Managed Configuration Flag when set to “1” (Option 3) The client needs to get ALL of it’s MANAGED information from a stateful DHCPv6 server, except default gateway.

47 ICMPv6 Router Advertisement
RA Message Options ICMPv6 Router Advertisement Option 1, 2, or 3 DHCPv6 Server Option Other Configuration (“O”) Flag Managed Configuration (“M”) Flag Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) Option 2: SLAAC + Stateless DHCPv6 for DNS address 1 Option 3: All addressing except default gateway use DHCPv6

48 Obtaining an IPv6 Address Automatically

49 Stateless DHCPv6

50 RA Message Option 1 and 2: Stateless Address Autoconfiguration
DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration Address received from DHCPv6 Server DHCPv6 Router(config)# ipv6 unicast-routing DHCPv6 Server Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA) Option 3: All addressing except default gateway use DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” RA

51 ICMPv6 Router Advertisement
RA Message Options ICMPv6 Router Advertisement Option 1, 2, or 3 DHCPv6 Server Option Other Configuration (“O”) Flag Managed Configuration (“M”) Flag Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) Option 2: SLAAC + Stateless DHCPv6 for DNS address 1 Option 3: All addressing except default gateway use DHCPv6

52 Router as a Stateless DHCPv6 Server
ICMPv6 Router Solicitation 1 ICMPv6 Router Advertisement IPv6 Router & DHCPv6 Server 2 Option 2: Stateless DHCPv6 O Flag = 1, M Flag = 0 Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. I created my own address (Stateless), and have the default gateway, but I need a DNS address… Stateless DHCP Server Stateless DHCPv6 DHCPv6 messages are similar to DHCPv4. The Information Request is used for Stateless DHCPv6 whereas a REQUEST message is used for Stateful DHCPv6.

53 Setting the Other Configuration Flag
ICMPv6 Router Advertisement Option 2: Stateless DHCPv6 O Flag = 1, M Flag = 0 Router(config)# interface gigabitethernet 0/0 Router(config-if)# ipv6 nd other-config-flag

54 SLAAC for Addressing & DNS for Other Information
2001:DB8:CAFE:1::/64 MAC: D2-8C-E0-4C 1 RA Message: Stateless DHCPv6 To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Other Configuration Flag: 1 2 RA Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Default Gateway: FE80::1 Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID 2001:DB8:CAFE:1:6909:cb1c:36a0:a595 DHCPv6 For DNS 3 EUI-64 Process or Random 64-bit value Stateless DHCPv6 Server

55 Stateless DHCPv6 Configuration

56 Configuring Router as a Stateless DHCPv6 Server
0 = 1 IPv6 Router & DHCPv6 Server DHCPv6 Step 1: Enable IPv6 routing to send ICMPv6 Router Advertisement Router(config)# ipv6 unicast-routing Step 2: Configure “stateless” DHCPv6 and parameters Router(config)# ipv6 dhcp pool pool-name Router(config-dhcpv6)# dns-server dns-server-address Router(config-dhcpv6)# domain-name domain-name Step 3: Configure interface: RA message and DHCPv6 server Router(config)# interface type number Router(config-if)# ipv6 nd other-config-flag Router(config-if)# ipv6 dhcp server pool-name No client address information.

57 Configuring Router as a Stateless DHCPv6 Server
IPv6 Router & DHCPv6 Server 2001:DB8:CAFE:1/64 G0/0 :1 RA Message O Flag = 1, M Flag = 0 DNS Server DHCPv6 2001:DB8:CAFE:9::99 I created my own address (Stateless), and now I need to get a DNS address using stateless DHCPv6.

58 Configuring Router as a Stateless DHCPv6 Server
DNS Server G0/0 :1 2001:DB8:CAFE:1/64 2001:DB8:CAFE:9::99 RA O = 1 DHCPv6 Router(config)# ipv6 unicast-routing Router(config)# ipv6 dhcp pool IPV6-STATELESS Router(config-dhcpv6)# dns-server 2001:DB8:CAFE:9::99 Router(config-dhcpv6)# domain-name Router(config)# interface GigabitEthernet 0/0 Router(config-if)# ipv6 address 2001:DB8:CAFE:1::1/64 Router(config-if)# ipv6 address FE80::1 link-local Router(config-if)# ipv6 nd other-config-flag Router(config-if)# ipv6 dhcp server IPV6-STATELESS

59 Verifying Stateless DHCPv6 Server Configuration
DNS Server G0/0 :1 2001:DB8:CAFE:1/64 2001:DB8:CAFE:9::99 RA O = 1 DHCPv6 PC> ipconfig /all Physical Address : B-88-0E-40 IPv6 Address : 2001:db8:cafe:1:6909:cb1c:36a0:a595 Default Gateway : fe80::1 DNS Servers : 2001:db8:cafe:9::99 Connection-specific DNS Suffix Search List: Random 64 bits Privacy extension used – no FF-FE and no relation to MAC address

60 Verifying Stateless DHCPv6 Server Configuration
DNS Server G0/0 :1 2001:DB8:CAFE:1/64 2001:DB8:CAFE:9::99 RA O = 1 DHCPv6 Router# show ipv6 interface gigabitethernet 0/0 GigabitEthernet 0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 <Output omitted> Hosts use stateless autoconfig for addresses. Hosts use DHCP to obtain other configuration. Router#

61 Stateful DHCPv6

62 RA Message Option 1 and 2: Stateless Address Autoconfiguration
DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration Address received from DHCPv6 Server DHCPv6 Router(config)# ipv6 unicast-routing DHCPv6 Server Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA) Option 3: All addressing except default gateway use DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” RA

63 ICMPv6 Router Advertisement
RA Message Options ICMPv6 Router Advertisement Option 1, 2, or 3 DHCPv6 Server Option Other Configuration (“O”) Flag Managed Configuration (“M”) Flag Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) Option 2: SLAAC + Stateless DHCPv6 for DNS address 1 Option 3: All addressing except default gateway use DHCPv6

64 Router as a Stateful DHCPv6 Server
ICMPv6 Router Solicitation 1 ICMPv6 Router Advertisement IPv6 Router & DHCPv6 Server 2 Option 3: Stateful DHCPv6 O Flag = 0, M Flag = 1 I’m only using the default gateway address from the RA. I need to contact a stateful DHCPv6 server for all my addressing. Stateless DHCPv6 Stateful DHCP Server

65 Option 3 and the “A” Flag 1 1 (default) Yes No
As a Windows host I will still use the RA prefix to create temporary (SLAAC) addresses) ICMPv6 RA M Flag = 1 A Flag = 1 G 0/1 DHCPv6 DHCPv6 Server Option Managed Configuration (“M”) Flag Address Autoconfiguration (“A”) Flag Prefix in RA can be used for SLAAC Option 3: All addressing except default gateway use DHCPv6 1 1 (default) Yes No The autonomous address configuration (A) flag tells hosts that they can create an address for themselves by combining the prefix in the RA with an interface identifier.

66 Setting the Managed Configuration Flag
ICMPv6 Router Advertisement DHCPv6 DHCPv6 Server Option 3 Stateful DHCPv6 O Flag = 0, M Flag = 1 Router(config)# interface gigabitethernet 0/1 Router(config-if)# ipv6 nd managed-config-flag

67 Stateful DHCPv6 without SLAAC
As a Windows host I will still use the RA prefix to create temporary (SLAAC) addresses) G 0/1 ICMPv6 Router Advertisement DHCPv6 Option 3 Stateful DHCPv6 O Flag = 0, M Flag = 1 No SLAAC: A Flag = 0 DHCPv6 Server Router(config)# interface gigabitethernet 0/1 Router(config-if)# ipv6 nd managed-config-flag Router(config-if)# ipv6 nd prefix prefix/length no-autoconfig no-autoconfig (Optional) Indicates to hosts on the local link that the specified prefix cannot be used for IPv6 autoconfiguration (SLAAC). The prefix will be advertised with the A-bit clear (autonomous address-configuration flag). The ipv6 nd prefix 2001:DB8:CAFE:120::/64 no-autoconfig command (set A flag off), coupled with the M flag set on, succeeds in getting Windows 7 to just populate one address, while still installing a default route on the client. Temporary addresses[edit] The globally unique and static MAC addresses, used by stateless address autoconfiguration to create interface identifiers, offer an opportunity to track user equipment—across time and IPv6 network prefix changes—and so users.[33] To reduce the prospect of a user identity being permanently tied to an IPv6 address portion, a node may create temporary addresses with interface identifiers based on time-varying random bit strings[34] and relatively short lifetimes (hours to days), after which they are replaced with new addresses. Temporary addresses may be used as source address for originating connections, while external hosts use a public address by querying the Domain Name System. Network interfaces configured for IPv6 use temporary addresses by default in OS X Lion or later Apple systems, and in Windows Vista, Windows 2008 Server or later Microsoft systems. SLAAC and DHCPv6 address - clear the A flag in the RA

68 Stateful DHCPv6 1 2 RA RA Message: Stateful DHCPv6
As a Windows host I will still use the RA prefix to create temporary (SLAAC) addresses) 2001:DB8:CAFE:2::/64 1 RA Message: Stateful DHCPv6 To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:2:: Prefix-length: /64 Managed Configuration Flag: 1 Autonomous Address Flag: 0 2 RA Default Gateway: FE80::1 Global Unicast Address: DHCPv6 DHCPv6 Stateful DHCPv6 Server

69 Stateful DHCPv6 Configuration

70 Configuring Router as a Stateful DHCPv6 Server
M = 1 A=1 IPv6 Router & DHCPv6 Server DHCPv6 Step 1: Enable IPv6 routing to send ICMPv6 Router Advertisement Router(config)# ipv6 unicast-routing Step 2: Configure “stateful” DHCPv6 and parameters Router(config)# ipv6 dhcp pool pool-name Router(config-dhcpv6)# address prefix prefix/length Router(config-dhcpv6)# dns-server dns-server-address Router(config-dhcpv6)# domain-name domain-name Step 3: Configure interface: RA message and DHCPv6 server Router(config)# interface type number Router(config-if)# ipv6 nd managed-config-flag Router(config-if)# ipv6 nd prefix prefix/prefix-length no-autoconfig Router(config-if)# ipv6 dhcp server pool-name Client address information. Address prefix command includes an option for setting the lifetime of the address, using the lifetime option.

71 Configuring Router as a Stateful DHCPv6 Server
DNS Server G0/1 :1 2001:DB8:CAFE:2/64 2001:DB8:CAFE:9::99 RA M = 1 DHCPv6 Router(config)# ipv6 unicast-routing Router(config)# ipv6 dhcp pool IPV6-STATEFUL Router(config-dhcpv6)# address prefix 2001:DB8:CAFE:2:DEED::/80 Router(config-dhcpv6)# dns-server 2001:DB8:CAFE:9::99 Router(config-dhcpv6)# domain-name Router(config)# interface GigabitEthernet 0/1 Router(config-if)# ipv6 address 2001:DB8:CAFE:2::1/64 Router(config-if)# ipv6 address FE80::1 link-local Router(config-if)# ipv6 nd managed-config-flag Router(config-if)# ipv6 dhcp server IPV6-STATEFUL Can be a /64

72 Including Only Valid Addresses to Be Assigned
With IPv4, a router enabled as a DHCPv4 server we specifically EXCLUDE addresses from being assigned. All other addresses are INCLUDED as possible assigned addresses. Router-IPV4(config)# ip dhcp excluded-address With IPv6, a router enabled as a DHCPv6 server we specifically INCLUDE addresses to be assigned. All other addresses are EXCLUDED as possible assigned addresses. Using the prefix length of the LAN may include the router’s address and other statically assigned addresses. Router(config-dhcpv6)# address prefix 2001:DB8:CAFE:2::/64 Router(config-dhcpv6)# address prefix 2001:DB8:CAFE:2:DEED::/80

73 Including Specific Addresses
Router(config-dhcpv6)# address prefix 2001:DB8:CAFE:2:DEED::/80 2001:DB8:CAFE:2::/64 2001:DB8:CAFE:2:0:0:0:0 2001:DB8:CAFE:2:FFFF:FFFF:FFFF:FFFF 2001:DB8:CAFE:2:DEED::/80 2001:DB8:CAFE:2:DEED:0:0:0 2001:DB8:CAFE:2:DEED:0:0:1 2001:DB8:CAFE:2:DEED:0:0: Available addresses for this network /64 /80 INCLUDED assigned addresses will have these 80 bits. All other addresses are EXCLUDED

74 Verifying Stateful DHCPv6 Server Configuration
DNS Server G0/1 :1 2001:DB8:CAFE:2/64 2001:DB8:CAFE:9::99 RA M = 1 DHCPv6 PC> ipconfig /all Physical Address : B-88-0E-40 IPv6 Address : 2001:db8:cafe:2:deed:2de8:cfd8:5 Default Gateway : fe80::1 DNS Servers : 2001:db8:cafe:9::99 Connection-specific DNS Suffix Search List:

75 Verifying Stateful DHCPv6 Server Configuration
DNS Server G0/1 :1 2001:DB8:CAFE:2/64 2001:DB8:CAFE:9::99 RA M = 1 DHCPv6 Router# show ipv6 interface gigabitethernet 0/1 GigabitEthernet 0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:2::1, subnet is 2001:DB8:CAFE:2::/64 <output omitted> Hosts use DHCP to obtain routable addresses. Router#

76 Stateless and Stateful DHCPv6 Server
Router(config)# ipv6 unicast-routing Router(config)# ipv6 dhcp pool IPV6-STATELESS Router(config-dhcpv6)# dns-server 2001:DB8:CAFE:9::99 Router(config-dhcpv6)# domain-name Router(config)# ipv6 dhcp pool IPV6-STATEFUL Router(config-dhcpv6)# address prefix 2001:DB8:CAFE:2:DEED::/80 Router(config)# interface GigabitEthernet 0/0 Router(config-if)# ipv6 address 2001:DB8:CAFE:1::1/64 Router(config-if)# ipv6 address FE80::1 link-local Router(config-if)# ipv6 nd other-config-flag Router(config-if)# ipv6 dhcp server IPV6-STATELESS Router(config)# interface GigabitEthernet 0/1 Router(config-if)# ipv6 address 2001:DB8:CAFE:2::1/64 Router(config-if)# ipv6 nd managed-config-flag Router(config-if)# ipv6 dhcp server IPV6-STATEFUL Stateless and Stateful DHCPv6 Server G0/0 Stateless G0/1 Stateful

77 DHCPv6 Relay (If there is time)

78 Forwarding DHCPv6 Messages
:1 G0/1 :1 2001:DB8:CAFE:2/64 RELAY-FORWARD DHCPv6 DHCPv6 Server 2001:DB8:CAFE:9::55 Router(config)# interface GigabitEthernet 0/1 Router(config-if)# ipv6 dhcp relay destination ipv6-address [exit-int] Relay agent creates a RELAY-FORWARD message containing the original DHCPv6 message from the client and forwards the message to a server. The ipv6-address can be: Unicast or multicast IPv6 address Link-scope: The output interface must be specified for this kind of address. From the client perspective similar forwarding DHCPv4 messages with the ip helper command. Managed-config-flag for stateful or other-config-flag for stateless. The relay agent creates a RELAY-FORWARD message containing the original SOLICIT message from the client and forwards the message to a server using the All_DHCP_Servers multicast address FF05::1:3 with site-local scope. The relay agent can also be configured to use a unicast address for the DHCPv6 server.

79 Forwarding DHCPv6 Messages using unicast
:1 G0/1 :1 2001:DB8:CAFE:2/64 RELAY-FORWARD DHCPv6 DHCPv6 Server 2001:DB8:CAFE:9::55 To: 2001:DB8:CAFE:9::55 Router(config)# ipv6 unicast-routing Router(config)# interface GigabitEthernet 0/1 Router(config-if)# ipv6 nd managed-config-flag Router(config-if)# ipv6 dhcp relay destination 2001:DB8:CAFE:9::55 g0/0 Only required if link-local unicast is used When the destination of the DHCP server is a global unicast address, no multicast routing is required.

80 Forwarding DHCPv6 Messages using Multicast
:1 G0/1 :1 2001:DB8:CAFE:2/64 RELAY-FORWARD DHCPv6 DHCPv6 Server 2001:DB8:CAFE:9::55 To FF05::1:3 All-DHCPv6 Servers Router(config)# ipv6 unicast-routing Router(config)# ipv6 multicast-routing Router(config)# interface GigabitEthernet 0/1 Router(config-if)# ipv6 nd managed-config-flag Router(config-if)# ipv6 dhcp relay destination FF05::1:3 When the destination of the DHCP server is FF05::1:3 (All-DHCPv6 Servers) multicast address, then we need multicast routing enabled for IPv6.

81 DHCPv6 Prefix Delegation Process (If there is time)

82 DHCPv4 and Private Addresses for the Home
NAT ISP G0/1 G0/1 HOME G0/0 DHCPv4 Public IPv4 Address for the interface Private IPv4 Address DHCPv4 /8 /12 /16 ISP only has to deliver a public IPv4 address for Home router interface. DHCPv4 and RFC 1918 private address space is used for home network. NAT is used for translation – but has its drawbacks! No NAT between private-public IPv6 (always in debate) ISP doesn’t have to worry about the home network address. RFC 1918 takes care of that.

83 The World of IPv6 and DHCPv6-PD Complete IPv6 Reachability
Delegating Router (DR) Requesting Router (RR) G0/1 G0/1 ISP-DR HOME-RR G0/0 Global IPv6 Address Global IPv6 Address DHCPv6-PD REQUEST 1 RA with prefix 3 DHCPv6-PD REPLY 2

84 Thank you and STEAL MY STUFF!
Username = cisco Password = perlman

Download ppt "SLAAC and DHCPv6 Got IPv6? Rick Graziani Cabrillo College"

Similar presentations

11: IPv6 Routing Table and Static Routes

11: IPv6 Routing Table and Static Routes
10: ICMPv6 Neighbor Discovery

10: ICMPv6 Neighbor Discovery
DHCPv6.

DHCPv6.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, U.S./Canada Regional Cisco Networking Academy Conference.

1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential.Cisco Networking Academy, U.S./Canada Regional Cisco Networking Academy Conference.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: IP Addressing Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: IP Addressing Introduction to Networks.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: IP Addressing Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: IP Addressing Introduction to Networks.
1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Regional Cisco Networking Academy Conference.

1 © 2013 Cisco Systems, Inc. All rights reserved. Cisco confidential. Cisco Networking Academy, US/Canada Regional Cisco Networking Academy Conference.
5: Link-Local Addresses Rick Graziani Cabrillo College

5: Link-Local Addresses Rick Graziani Cabrillo College
HELP! I Need to Learn IPv6! or 60 IPv6 Slides in 60 minutes!

HELP! I Need to Learn IPv6! or 60 IPv6 Slides in 60 minutes!
Host Autoconfiguration ALTTC, Ghaziabad. IPv4 Address and IPv6 equivalents ALTTC, Ghaziabad.

Host Autoconfiguration ALTTC, Ghaziabad. IPv4 Address and IPv6 equivalents ALTTC, Ghaziabad.
Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.

Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
4: Global Unicast Addresses (GUA) Rick Graziani Cabrillo College

4: Global Unicast Addresses (GUA) Rick Graziani Cabrillo College

Similar presentations

Ads by Google