7: SLAAC (Stateless Address Autoconfiguration) Rick Graziani Cabrillo College

© For more information please check out my Cisco Press book and video series: IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6 By Rick Graziani ISBN-10: IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6 By Rick Graziani ISBN-10:

7.1: Introduction to SLAAC and ICMPv6 ND

© Dynamic IPv6 Address Allocation DHCPv6 and SLAAC with DHCPv6 are discussed in Lesson 8. Global Unicast Manual Dynamic Static IPv6 unnumbered Static + EUI 64 SLAAC DHCPv6 SLAAC + DHCPv6 Similar to IPv4 unnumbered StatelessStateful DHCPv6-PD

© DHCP Server Dynamic IPv4 Address Allocation DHCP Client I need an IPv4 addressing information from a DHCP server. Here is your IPv4 address, subnet mask, default gateway and DNS server addresses.

© ICMPv6 Internet Control Message Protocol for IPv6 Described in RFC 4443 Much more robust than ICMP for IPv4 Contains new functionality and improvements. More than just “messaging” but “how IPv6 conducts business”. Including ICMPv6 Neighbor Discovery (RFC 4861) – used in dynamic address allocation. Note: ICMPv6 is discussed in detail in Lesson 9, ICMPv6 ND in Lesson 10.

© “Introducing” ICMPv6 Neighbor Discovery ICMPv6 informational messages used by Neighbor Discovery (RFC 4861): Router Solicitation Message Router Advertisement Message Used for dynamic address allocation. Neighbor Solicitation Message Neighbor Advertisement Message Used with address resolution (IPv4 ARP) and with DAD Redirect Message (Similar to ICMPv4) Router-Device Messaging Device-Device Messaging

© It Begins with the RA Message An ICMPv6 Router Advertisement (RA) suggests to all IPv6 devices on the link how it will receive IPv6 Address Information. Sent periodically by an IPv6 router or… … when the router receives a Router Solicitation message from a host. DHCPv6 Server ICMPv6 Router Advertisement ICMPv6 Router Solicitation Multicast: To all IPv6 routers, I need IPv6 address information Multicast: To all IPv6 devices, let me suggest to you how to do this … I might not even be needed. 

© It Begins with the RA Message Router Advertisement (RA) Message Part of ICMPv6 (Internet Control Message Protocol for IPv6) RA messages are sent by an “IPv6 router” An IPv6 router (ipv6 unicast-routing command): Forwards IPv6 Packets Enables IPv6 static and dynamic routing Sends ICMPv6 Router Advertisements Note: Routers can be configured with IPv6 addresses without being an IPv6 router. DHCPv6 Server ICMPv6 Router Advertisement Router(config)# ipv6 unicast-routing

© Router Advertisement: 3 Options DHCPv6 Server RA Router(config)# ipv6 unicast-routing Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA) Option 3: All addressing except default gateway use DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” DHCPv6 Option 1 and 2: Stateless Address Autoconfiguration DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration Address received from DHCPv6 Server Options 2 and 3 are discussed in Lesson 8.

© RA Message Options The type of Router Advertisement option depends on two RA flags: Other Configuration Flag and Managed Configuration Flag Default: Both flags are set to 0 (Option 1) Use me (RA) for all your addressing information, no additional information available via DHCPv6. Other Configuration Flag when set to “1” (Option 2) Use me (RA) for your address but you need to get OTHER information from a stateless DHCPv6 server. Managed Configuration Flag when set to “1” (Option 3) The client needs to get ALL of it’s MANAGED information from a stateful DHCPv6 server, except default gateway. Note: Two other flags include the autonomous address-configuration flag and on-link flag. (“A” Flag discussed in lesson 8, “L” Flag beyond the scope of this video.) DHCPv6 Server ICMPv6 Router Advertisement Option 1, 2, or 3 ICMPv6 Router Advertisement Option 1, 2, or 3

© RA Message Options DHCPv6 Server ICMPv6 Router Advertisement Option 1, 2, or 3 ICMPv6 Router Advertisement Option 1, 2, or 3 Configuring Flags discussed in Lesson 8.

© SLAAC: Stateless Address Autoconfiguration DHCPv6 Server Router(config)# ipv6 unicast-routing ICMPv6 Router Advertisement Prefix and other information ICMPv6 Router Advertisement Prefix and other information SLAAC (Stateless Address Autoconfiguration) Allows a device to create its own IPv6 global unicast address without the services of a DHCPv6 server. Prefix: From the Router Advertisement (RA). Interface ID: EUI-64 Random 64-bit value 2001:DB8:CAFE:1::/64 I know the network prefix from the RA. I just need to come up with my own Interface ID for my GUA!

© DHCPv6 DHCPv6 Server Ignoring the RA Message? The ICMPv6 Router Advertisement suggests to the host how to get its address automatically. Can a host ignore an ICMPv6 Router Advertisement? Host operating systems can include the option of ignoring the Router Advertisement from the router and only use the stateful services of a DHCPv6 server (or what ever it wants to do). However, hosts can’t ignore the default gateway (source of RA) unless manually configured. ICMPv6 Router Advertisement Link-local address

7.2: Creating the Interface ID: EUI-64 or Random Value

© Obtaining an IPv6 Address Automatically

© Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. SLAAC Option 1 – RA Message To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 RA 1 1 MAC: D2-8C-E0-4C Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Default Gateway: FE80::1 Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID 2001:DB8:CAFE:1::/64 EUI-64 Process or Random 64-bit value 2 2 DHCPv6 Server 3 3 SLAAC: Stateless Address Autoconfiguration

© SLAAC: Interface ID Global Routing Prefix 64-bit Interface ID 16-bit Subnet ID /64 /48 EUI-64 ProcessRandomly Generated Number (Privacy Extension) SLAAC DHCPv6 Server Default OS behavior can be changed. Known instead of unknown © Copyright DOC RABE MediaMan in paper bag on head © Copyright binik

© Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. SLAAC Option 1 – RA Message To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 RA 1 1 MAC: D2-8C-E0-4C Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Default Gateway: FE80::1 Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID 2001:DB8:CAFE:1::/64 EUI-64 Process or Random 64-bit value 2 2 DHCPv6 Server 3 3 SLAAC: EUI-64 Option

© Modified EUI-64 Format (Extended Unique Identifier–64) 0019D28CE04C OUI (24 bits)Device Identifier (24 bits) 0019D28CE04CFFFE 19D28CE04CFFFE U/L bit flipped D28CE04CFFFE Insert FF-FE

© PC> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: IPv6 Address : 2001:db8:cafe:1:0219:d2ff:fe8c:e04c Link-local IPv6 Address.. : fe80::0219:d2ff:fe8c:e04c Default Gateway..... : fe80::1 Router Advertisement EUI-64 A 64-bit Interface ID and the EUI-64 process accommodates: The IEEE specification for a 64-bit MAC address 64-bit boundary processing Verifying SLAAC on the PC Using EUI-64 Why. The Dude looking at the red question mark © Copyright jojje11

© SLAAC: Random 64-bit Interface ID Global Routing Prefix 64-bit Interface ID 16-bit Subnet ID /64 /48 EUI-64 ProcessRandomly Generated Number (Privacy Extension) SLAAC DHCPv6 Server Known instead of unknown © Copyright DOC RABE MediaMan in paper bag on head © Copyright binik

© PC-Windows7> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: IPv6 Address : 2001:db8:cafe:1:50a5:8a35:a5bb:66e1 Link-local IPv6 Address.. : fe80::50a5:8a35:a5bb:66e1 Default Gateway..... : fe80::1 Router Advertisement EUI-64 Verifying SLAAC on the PC Using Privacy Extension No FF-FE

© SLAAC: Including the DNS Server in the RA * DNS Server Router(config)# ipv6 unicast-routing ICMPv6 Router Advertisement Prefix and other information ICMPv6 Router Advertisement Prefix and other information G0/1 2001:DB8:CAFE:1::/64 Router(config)# ipv6 unicast-routing Router(config)# interface gigabitethernet 0/1 Router(config-if)# ipv6 nd ra dns server 2001:db8:cafe:1:: :DB8:CAFE:1::99 Configures a DNS server with an IPv6 address of 2001:DB8::CAFE:1::1 to be advertised in an RA with a lifetime of 600 seconds.

© Global Unicast :db8:cafe:1:0219:d2ff:fe8c:e04c Link-local - fe80::50a5:8a35:a5bb:66e1 Neighbor Advertisement? Neighbor Solicitation Ensuring Unique Unicast Addresses Not received = unique address Received = duplicate address SLAAC is stateless, no entity (DHCPv6 server) maintaining a state address- to-device mappings. How can we guarantee the address is unique? Duplicate Address Detection (DAD) Once required for all unicast addresses (static or dynamic), RFC was updated that DAD is only recommended. /64 Interface IDs!

7.3: Configuring a Router as a SLAAC Client

© Routers versus IPv6 Routers A router (not enabled as an IPv6 router): Configure IPv6 addresses Member of All-IPv6 devices multicast group An IPv6 router: Same as a non-IPv6 router Member of All-IPv6 routers multicast group Sends ICMPv6 Router Advertisement messages Can enable IPv6 routing protocols Forward IPv6 packets (transiting the router) RouterIPv6 Router 2001:DB8:CAFE:1::1/64 FE80::1 2001:DB8:CAFE:1::1/64 FE80::1 FF02::1 (All-IPv6 devices) FF02::2 (All-IPv6 routers) ICMPv6 Router Advertisement Forward IPv6 Packets RIPng OSPFv3 EIGRP for IPv6 RIPng OSPFv3 EIGRP for IPv6 Router(config)# ipv6 unicast-routing

© R1 Client Client(config)# interface gig 0/1 Client(config-if)# ipv6 enable ! Not needed Client(config-if)# ipv6 address autoconfig default Client(config-if)# no shutdown Gig 0/1 R1(config)# interface gig 0/1 R1(config-if)# ipv6 address 2001:db8:cafe:1::1/64 R1(config-if)# ipv6 address fe80::1 link-local R1(config-if)# no shutdown R1(config-if)# exit R1(config)# ipv6 unicast-routing Configuring the Router as a Client 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement “IPv6 Router” Link-local address created Now I can accept RA messages and get a GUA automatically!

© R1 Client Gig 0/1 ::1 R1# show ipv6 interface gigabitethernet 0/1 GigabitEthernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::FB FF02::1:FF00:1 ND router advertisements are sent every 200 seconds Hosts use stateless autoconfig for addresses. Verifying the RA Message 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement Partial output FE80::1

© R1 Client Gig 0/1 ::1 Client# show ipv6 interface brief GigabitEthernet0/1 [up/up] FE80::8A5A:92FF:FE3B:29E1 2001:DB8:CAFE:1:8A5A:92FF:FE3B:29E1 Client# show interface gigabitethernet 0/1 GigabitEthernet0/1 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is 885a.923b.29e1 (bia 885a.923b.29e1) Verifying the Client (Router) Is Using SLAAC/EUI :DB8:CAFE:1::/64 ICMPv6 Router Advertisement FE80::1 EUI-64

© R1 Client Gig 0/1 ::1 Client# show ipv6 route IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ND ::/0 [2/0] via FE80::1, GigabitEthernet0/1 NDp 2001:DB8:CAFE:1::/64 [2/0] via GigabitEthernet0/1, directly connected Router versus “IPv6 Router” 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement Partial output FE80::1 Default route learned via Neighbor Discovery (SLAAC) Prefix learned via Neighbor Discovery (SLAAC)

7.4: IPv6 Enabled Clients and Your Network

© You Are Probably Already Running IPv6 Windows Vista or later, Mac OSX, Linux already running IPv6 Potential DoS or MITM attack, even if the router is not IPv6 enabled. Even if the router is not IPv6 enabled, your clients are mostly like are! I can still do a DoS attack on clients or perhaps even still to a MITM attack. There are mitigation techniques such as RA Guard. R1 Rogue RA RS IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 I need an IPv6 prefix Here is an IPv6 prefix and gateway People Icon: Occupations set 5 © Copyright Fredy Sujono

© SLAAC with DHCPv6 Global Unicast Manual Static IPv6 unnumbered Static + EUI 64 SLAAC DHCPv6 SLAAC + DHCPv6 Similar to IPv4 unnumbered StatelessStateful DHCPv6-PD Dynamic Stateful Lesson 8

© For more information please check out my Cisco Press book and video series: IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6 By Rick Graziani ISBN-10: IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6 By Rick Graziani ISBN-10:

7: SLAAC (Stateless Address Autoconfiguration) Rick Graziani Cabrillo College