1. Ch.9 Stateless Address Autoconfiguration (SLAAC)
CIS 116 IPv6 Fundamentals
Rick Graziani
Cabrillo College

2. Router Advertisement Message

3. Router Advertisement Flags
RA Address Allocation Method
A Flag
(SLAAC)
Default: On
O Flag
(Stateless DHCPv6)
Default: Off
M Flag
(Stateful DHCPv6)
Method 1: SLAAC (default)
1 (on)
0 (off)
Method 2: SLAAC and stateless DHCPv6
Method 3: Stateful DHCPv6
N/A
RA message contains three flags to tell a device how to obtain or create its global unicast address:
Address Autoconfiguration flag (A flag): When set to 1 (on), this flag tells the receiving host to use SLAAC to create its global unicast address.
Other Configuration flag (O flag): When set to 1 (on), this flag tells the host to get other addressing information, other than its global unicast address, from a stateless DHCPv6 server.
Managed Address Configuration flag (M flag): When set to 1 (on), this flag tells the host to use a stateful DHCPv6 server for its global unicast address and all other addressing information.

4. RA 2001:db8:cafe:1::/64 R1 WinPC LLA fe80::d0f8:9ff6:4201:7086
R1(config)# ipv6 unicast-routing
2001:db8:cafe:1::/64 R1
G0/0
GUA ::1
LLA fe80::1
WinPC
LLA fe80::d0f8:9ff6:4201:7086
Method 1: SLAAC 1 2
Default Gateway: fe80::1
Prefix: 2001:db8:cafe:1::
Prefix-length: /64
Flags: A = 1
GUA Address:
2001:db8:cafe:1: + Interface ID
IPv6 Header
To: ff02::1 (All-IPv6 devices)
From: fe80::1 (Link-local address)
ICMPv6 Router Advertisement
Prefix: 2001:db8:cafe:1::
Prefix-length: /64
Flags: A = 1, O = 0, M = 0
Other Options:
DNS Server Address RA 3
EUI-64 Process or Random 64-bit value 4
Figure 9-1

5. R1 is part of the all-IPv6 routers multicast group, ff02::2.
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# show ipv6 interface gigabitethernet 0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::FB
FF02::1:FF00:1
MTU is 1500 bytes
<output omitted for brevity>
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
FF02::2:
R1 is part of the all-IPv6 routers multicast group, ff02::2.
MTU is 1500 bytes:
This informs hosts of the maximum transmission unit (MTU) for the link.
Hosts use this information to maximize the size of the IPv6 packet.
All-IPv6 devices – This interface joined this group when configured a GUA address or used the ipv6 enable command on the interface.
All ipv6 routers – when ipv6 unicast-routing command was enabled.
OSPFv3 groups – when OSPFv3 was enabled on this interface (later)
Solicited-node – coming next

6. ND router advertisements are sent every 200 seconds:
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# show ipv6 interface gigabitethernet 0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::FB
FF02::1:FF00:1
MTU is 1500 bytes
<output omitted for brevity>
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
ND router advertisements are sent every 200 seconds:
How often periodic RA messages are sent on this interface.
The default is 200 seconds.
All-IPv6 devices – This interface joined this group when configured a GUA address or used the ipv6 enable command on the interface.
All ipv6 routers – when ipv6 unicast-routing command was enabled.
OSPFv3 groups – when OSPFv3 was enabled on this interface (later)
Solicited-node – coming next

7. ND router advertisements live for 1800 seconds:
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# show ipv6 interface gigabitethernet 0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::FB
FF02::1:FF00:1
MTU is 1500 bytes
<output omitted for brevity>
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
ND router advertisements live for 1800 seconds:
Router Lifetime information sent in RA messages.
Informs a host of the duration, in seconds, that the router should be used as the default gateway.
0 indicates that the router is not a default gateway.
Only to the router’s function as a default gateway.
It does not apply to other information contained in the RA.
The host refreshes its own timer every time it receives a Router Advertisement.
The default is 1800 seconds.
All-IPv6 devices – This interface joined this group when configured a GUA address or used the ipv6 enable command on the interface.
All ipv6 routers – when ipv6 unicast-routing command was enabled.
OSPFv3 groups – when OSPFv3 was enabled on this interface (later)
Solicited-node – coming next

8. ND advertised default router preference is Medium:
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# show ipv6 interface gigabitethernet 0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::FB
FF02::1:FF00:1
MTU is 1500 bytes
<output omitted for brevity>
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
ND advertised default router preference is Medium:
The value of the Default Router Preference (DRP).
Hosts dynamically populate their Default Router List based on the source IPv6 addresses of the RA messages.
The DRP (default gateway) can be: high, medium (default), or low.
This helps the host determine which router to use as the default gateway when it receives multiple RA messages.
The default is medium.
All-IPv6 devices – This interface joined this group when configured a GUA address or used the ipv6 enable command on the interface.
All ipv6 routers – when ipv6 unicast-routing command was enabled.
OSPFv3 groups – when OSPFv3 was enabled on this interface (later)
Solicited-node – coming next

9. Default Router List RA RA
Default gateway?
A device that is not a router maintains a Default Router List.
When a device receives a Router Advertisement, it adds the link-local source address of the packet as one of the routers it can use as a default gateway.
Each entry has an invalidation timer, the Router Lifetime, extracted from the Router Advertisement used to delete entries that are no longer being advertised.

10. Hosts use stateless autoconfig for addresses:
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# show ipv6 interface gigabitethernet 0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::FB
FF02::1:FF00:1
MTU is 1500 bytes
<output omitted for brevity>
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
Hosts use stateless autoconfig for addresses:
Indicates that the RA message sent on this interface is suggesting that hosts obtain their dynamic IPv6 addressing using SLAAC, as a result of the A flag being set to 1.
Because the O and M flags are set to 0, there is no mention of suggesting the use of a DHCPv6 server.
All-IPv6 devices – This interface joined this group when configured a GUA address or used the ipv6 enable command on the interface.
All ipv6 routers – when ipv6 unicast-routing command was enabled.
OSPFv3 groups – when OSPFv3 was enabled on this interface (later)
Solicited-node – coming next

11. Router Advertisement Message
2001:db8:cafe:1::/64
2001:db8:cafe:2::/64
2001:db8:cafe:3::/64
2001:db8:cafe:4::/64 RA R1 R2 R3
G0/0
::1
fe80::1
G0/1
::1
fe80::1
G0/1
::2
fe80::2
G0/0
::1
fe80::2
G0/1
::2
fe80::3
G0/0
::1
fe80::3
WinPC
LinuxPC
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: MTU = 1500
*Nov 27 18:34:52.494: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800
<output omitted for brevity>
R1# undebug all

12. Gigabit/Ethernet0/0: This is the egress interface of the RA message.
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: MTU = 1500
*Nov 27 18:34:52.494: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800
<output omitted for brevity>
R1# undebug all
Gigabit/Ethernet0/0: This is the egress interface of the RA message.
FE80::1: This is the source IPv6 address of the RA message and the address that hosts can use to populate their Default Router List.

13. RA
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: MTU = 1500
*Nov 27 18:34:52.494: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800
<output omitted for brevity>
R1# undebug all
Sending RA:
Indicates that the information on this line and the indented lines that follow are from a Router Advertisement message sent by this router.
(1800):
Router Lifetime, the duration (in seconds) that the router should be used as the default gateway. (1800 seconds equals 30 minutes.)

14. This is the maximum transmission unit (MTU) for the link.
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: MTU = 1500
*Nov 27 18:34:52.494: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800
<output omitted for brevity>
R1# undebug all
to FF02::1:
ff02::1 is the all-IPv6-devices multicast address, the destination IPv6 address of the Router Advertisement.
MTU = 1500:
This is the maximum transmission unit (MTU) for the link.

15. Prefix length associated with on-link devices (coming)RA
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: MTU = 1500
*Nov 27 18:34:52.494: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800
<output omitted for brevity>
R1# undebug all
prefix 2001:DB8:CAFE:1::/64:
Prefix that devices can use to create a global unicast address using SLAAC.
Prefix length associated with on-link devices (coming)

16. The L flag and On-Link flag are discussed in the next section.RA
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: MTU = 1500
*Nov 27 18:34:52.494: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800
<output omitted for brevity>
R1# undebug all
[LA]:
The L flag (On-Link flag) and A flag (Address Autoconfiguration flag) are both set to 1.
When set to 1, the On-Link flag indicates that the prefix sent in the RA is on this link or subnet.
The A flag indicates to devices that the prefix can be used to create an address with SLAAC.
The L flag and On-Link flag are discussed in the next section.

17. These are the Valid Lifetime and Preferred Lifetime, in seconds. RA
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: MTU = 1500
*Nov 27 18:34:52.494: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800
<output omitted for brevity>
R1# undebug all
/604800:
These are the Valid Lifetime and Preferred Lifetime, in seconds.
Coming soon!

18. End Result This will all be explained soon…RA
WinPC> ipconfig
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address : 2001:db8:cafe:1:d0f8:9ff6:4201:7086
Temporary IPv6 Address : 2001:db8:cafe:1:78bd:10b0:aa92:62c
Link-local IPv6 Address : fe80::d0f8:9ff6:4201:7086%11
<output omitted>
Default Gateway : fe80::1%11
This will all be explained soon…
WinPC has two global unicast addresses:
2001:db8:cafe:1:d0f8:9ff6:4201:7086, - a public address (not to be confused with a public address in IPv4)
2001:db8:cafe:1:78bd:10b0:aa92:62c - a temporary address.
The temporary address is added because Windows OS implements the privacy extension for SLAAC. (coming!)
Also, notice that both GUA addresses and the link-local address use a random 64-bit value to create the Interface ID – result of privacy extension. (coming!)
The privacy extension is used to help provide anonymity and privacy (coming!)

19. On-Link Router Preference

20. On-Link Determination
Do I send the packet directly to the device or to my default gateway? ?
How does it know whether to send a packet directly to the destination or to the default gateway?
In the IPv4 world, a host does a logical AND with the IPv4 address and its own subnet mask to determine its local network address.

21. The IPv6 world is different.
R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: MTU = 1500
*Nov 27 18:34:52.494: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800
<output omitted for brevity>
R1# undebug all
The IPv6 world is different.
IPv6 device determines its local subnet, known as the on-link prefix, using two fields in the Router Advertisement:
Prefix
On-Link flag (L flag)

22. Adds this prefix to its Prefix List, a list of on-link prefixes.
WinPC> netsh interface ipv6 show siteprefixes
Prefix Lifetime Interface
2001:db8:cafe:1::/ d23h59m56s Local Area Connection
When a host receives an RA with a prefix and the L flag set to 1(default):
Adds this prefix to its Prefix List, a list of on-link prefixes.
Any of the host’s addresses that use this prefix (SLAAC generated, manually configured, or DHCPv6) will be considered on-link to this prefix, on this subnet.
The host can send any packets with this prefix in the destination IPv6 address directly to the device.

23. Is the destination IPv6 address of this packet on-link?
Ethernet
IPv6 Header
On-link means that a packet can be sent directly to a device without being forwarded
through a router.
According to RFC 4861, Neighbor Discovery for IPv6, a device considers an address to be on-link if one of the following conditions is present:
A Router Advertisement message includes this prefix with the On-Link flag set to 1.
A local router indicates that this address is on-link in a Redirect message. When a router forwards a packet out the same interface it was received on, the router sends a redirect message to the source of the packet. The source then considers this address as on-link and forwards subsequent packets directly to the device.
An ICMPv6 Neighbor Advertisement message is received for the target address.(A Neighbor Advertisement is similar to an ARP Reply in IPv4.)
Any ICMPv6 Neighbor Discovery message is received from this device.

24. Is the destination IPv6 address of this packet on-link?
Ethernet
IPv6 Header
The following are some of the characteristics of on-link determination:
By default, a host treats only the prefix of its link-local address as on-link. A link-local address is permanently on-link.
The prefix is considered on-link for the period specified by the Valid Lifetime. The Valid Lifetime is reset each time a new RA is received with this same prefix and the L flag set to 1.
The prefix of an IPv6 address assigned to an interface using manual configuration, SLAAC, or DHCPv6 is not implicitly considered on-link. The host can only consider the prefix on-link if it can be explicitly determined.
A destination is assumed to be off-link unless there is explicit information indicating that it is on-link.
A host can have an IPv6 address that isn’t related to any on-link prefix—in other words, doesn’t belong to any subnet. It can also have an on-link prefix that is not associated with any of its addresses.

25. The prefix for this destination IPv6 address is off-link
Packets sent to any addresses that are not on-link are sent to the default router (default gateway).

26. Creating the Interface

27. Obtaining an IPv6 Address Automatically

28. SLAAC: Stateless Address Autoconfiguration
2001:db8:cafe:1::/64
MAC: 00:50:56:af:25:24 1
SLAAC Option 1 – RA Message
To: ff02::1 (All-IPv6 devices)
From: fe80::1 (Link-local address)
Prefix: 2001:db8:cafe:1::
Prefix-length: /64 2 RA
Prefix: 2001:db8:cafe:1::
Prefix-length: /64
Default Gateway: fe80::1
Global Unicast Address:
2001:db8:cafe:1: + Interface ID
Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. 3
EUI-64 Process or Random 64-bit value
ipv6 nd ra dns-suffix ipv6.vmwcs.com
To configure the IPv6 router advertisement of DNS server addresses on an interface, use the ipv6 nd ra dns server command in interface configuration mode. To remove the IPv6 router advertisement of DNS server addresses, use the no form of this command.
ipv6 nd ra dns server ipv6-address seconds
no ipv6 nd ra dns server ipv6-address
Syntax Description
seconds
The amount of time (in seconds) that the Domain Naming System (DNS) server is advertised in an IPv6 router advertisement (RA). The range is from 200 to
Command Default
The DNS server is not advertised in an IPv6 RA.
Command Modes
Interface configuration (config-if)
Command History
Release Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
You can use the ipv6 nd ra dns server command to configure up to eight DNS server addresses in an RA.
If you configure a seconds value of zero, the DNS server will no longer be used.
Examples
The following example configures a DNS server with an IPv6 address of 2001:DB8:1::1 to be advertised in an RA with a lifetime of 600 seconds:
Router(config)# interface ethernet 0/0
Router(config-if)# ipv6 nd ra dns server 2001:DB8:1::1 600
DHCPv6 Server

29. SLAAC: Interface ID DHCPv6 Server /48 /64 16-bit Subnet ID
Global Routing Prefix
64-bit Interface ID
SLAAC
EUI-64 Process
Randomly Generated Number
(Privacy Extension)
Check your OS for the default…. Most operating systems provide options to use use either one.
Cisco router configured as a client will use EUI-64. More on the router as a client in Lesson 8 when we discuss SLAAC and DHCPv6.
Default OS behavior can be changed.
Known instead of unknown © Copyright DOC RABE Media
Man in paper bag on head © Copyright binik

30. SLAAC: EUI-64 Option 1 2 RA 3 MAC: 00:50:56:af:25:24
2001:db8:cafe:1::/64
MAC: 00:50:56:af:25:24 1
SLAAC Option 1 – RA Message
To: ff02::1 (All-IPv6 devices)
From: fe80::1 (Link-local address)
Prefix: 2001:db8:CAFE:1::
Prefix-length: /64 2 RA
Prefix: 2001:db8:cafe1::
Prefix-length: /64
Default Gateway: fe80::1
Global Unicast Address:
2001:db8:cafe:1: + Interface ID
Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. 3
EUI-64 Process or Random 64-bit value
As of now Cisco only supports DNS server advertisement not domain name on IOS XE.
To configure the IPv6 router advertisement of DNS server addresses on an interface, use the ipv6 nd ra dns server command in interface configuration mode. To remove the IPv6 router advertisement of DNS server addresses, use the no form of this command.
ipv6 nd ra dns server ipv6-address seconds
no ipv6 nd ra dns server ipv6-address
Syntax Description
seconds
The amount of time (in seconds) that the Domain Naming System (DNS) server is advertised in an IPv6 router advertisement (RA). The range is from 200 to
Command Default
The DNS server is not advertised in an IPv6 RA.
Command Modes
Interface configuration (config-if)
Command History
Release Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
You can use the ipv6 nd ra dns server command to configure up to eight DNS server addresses in an RA.
If you configure a seconds value of zero, the DNS server will no longer be used.
Examples
The following example configures a DNS server with an IPv6 address of 2001:DB8:1::1 to be advertised in an RA with a lifetime of 600 seconds:
Router(config)# interface ethernet 0/0
Router(config-if)# ipv6 nd ra dns server 2001:DB8:1::1 600
DHCPv6 Server

31. Modified EUI-64 Format (Extended Unique Identifier–64)
OUI (24 bits)
Device Identifier (24 bits) 00 50 56 af 25 24
Insert FF-FE 00 50 56 ff fe af 25 24 50 56 ff fe af 25 24 00
U/L bit flipped 02 50 56 ff fe af 25 24
Insert FFFE gives us a 64 bit Interface ID
IPv6 64-bit interface IDs are on a 64 bit boundary and accommodate IEEE specification for 64 bit MAC addresses
IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address. IEEE's Guidelines for EUI-64 Registration Authority,
Reason for U/L bit flipped can be found in RFC 4291 IP Version 6 Addressing Architecture

32. Verifying SLAAC on a Host Using EUI-64
Router Advertisement
EUI-64
ff:fe - Public GUA and LLA
Not in Temporary address
LinuxPC$ ifconfig eth0 Link encap:Ethernet HWaddr 00:50:56:af:25:24 inet6 addr: 2001:db8:cafe:4:250:56ff:feaf:2524/64 Scope:Global inet6 addr: fe80::250:56ff:feaf:2524/64 Scope:Link inet6 addr: 2001:db8:cafe:4:314a:dd3e:762f:e140/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
The first global unicast address (the public address) and the link-local address use EUI-64.
The ff:fe in the middle of the Interface ID is a good indication that SLAAC with EUI-64 was most likely used.
The second global unicast address, 2001:db8:cafe:4:314a:dd3e:762f:e140, uses a randomized Interface ID - temporary address – privacy extension.
FF-FE – more than likely EUI-64
Link local address is usually the same process
Default gateway – link-local address
Why. The Dude looking at the red question mark © Copyright jojje11

33. SLAAC: Random 64-bit Interface ID
DHCPv6 Server
/48
/64
16-bit Subnet ID
Global Routing Prefix
64-bit Interface ID
SLAAC
EUI-64 Process
Randomly Generated Number
(Privacy Extension)
Check your OS for the default…. Most operating systems provide options to use use either one.
Known instead of unknown © Copyright DOC RABE Media
Man in paper bag on head © Copyright binik

34. Verifying SLAAC on the WinPC Using Privacy Extension
Router Advertisement
Random
WinPC> ipconfig /all
<output omitted for brevity>
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix :
Description : Intel(R) PRO/1000 MT Network Connection
Physical Address : AF-97-68
DHCP Enabled : Yes
Autoconfiguration Enabled : Yes
IPv6 Address : 2001:db8:cafe:1:d0f8:9ff6:4201:7086(Preferred)
Temporary IPv6 Address : 2001:db8:cafe:1:78bd:10b0:aa92:62c (Preferred)
Link-local IPv6 Address : fe80::d0f8:9ff6:4201:7086%11(Preferred)
Default Gateway : fe80::1%11
No FF-FE

35. Windows Default: Randomize Identifier Enabled
WinPC
Randomize identifier (Interface ID)
enabled  Random 64 bits
disabled  EUI-64
Prefix for GUA
Interface ID
RA Message
Prefix & A flag = 1
SLAAC
Create Address w/ RA prefix
Randomize identifier
WinPC> netsh interface ipv6 set global randomizeidentifiers=enabled store=active
Ok.
WinPC> netsh interface ipv6 set global randomizeidentifiers=enabled store=persistent

36. Verifying SLAAC on the WinPC Using Privacy Extension
Router Advertisement
Public = EUI-64
Temp = Random
LLA = EUI-64
WinPC> netsh interface ipv6 set global randomizeidentifiers=disabled store=active
Ok.
WinPC> netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
WinPC> ipconfig
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address : 2001:db8:cafe:1:250:56ff:feaf:9768
Temporary IPv6 Address : 2001:db8:cafe:1:78bd:10b0:aa92:62c
Link-local IPv6 Address : fe80:: 250:56ff:feaf:9768%11
ff:fe - Public GUA and LLA
Not in Temporary address

37. Privacy Extension for SLAAC

38. IPv6 address -> Ethernet NIC
Some have concerns about using an Interface ID that can be associated directly to a physical device (or Ethernet NIC)—an address that never changes.
Any time a fixed identifier (address) is used in multiple sessions and with various applications, it becomes possible to correlate the same address to seemingly unrelated activity.
RFC 4941, Privacy Extensions for Stateless Address Autoconfiguration in IPv6, offers the following example:
For example, a network sniffer placed strategically on a link across which all
traffic to/from a particular host crosses could keep track of which destinations
a node communicated with and at what times. Such information can in some
cases be used to infer things, such as what hours an employee was active,
when someone is at home, and so on. Periodically changing the Interface ID
of an address makes it more difficult for eavesdroppers and other information
collectors, such as websites and mobile apps, to associate these different
addresses and transactions to a particular device.
FF-FE – more than likely EUI-64
Link local address is usually the same process
Default gateway – link-local address
Why. The Dude looking at the red question mark © Copyright jojje11

39. Create Address w/ RA prefix Create Address w/ RA prefix✔
= Default
WinPC
Randomize identifier (Interface ID)
enabled  Random 64 bits ✔
disabled  EUI-64
Privacy (Temporary Address)
enabled  Temporary Address ✔
disabled  No Temporary Address
SLAAC
Prefix for GUA
Interface ID
Prefix for GUA
Interface ID
RA Message
Prefix & A flag = 1
Create Address w/ RA prefix
Randomize identifier
Create Address w/ RA prefix
Random 64 bits
Public Address
Temporary Address
RFC 4941, Privacy Extensions for Stateless Address Autoconfiguration in IPv6,
addresses these concerns:
Generation of randomized Interface IDs: This is a mechanism for:
creating an Interface ID that is not traceable to a physical device.
Generation of temporary addresses: This provides:
additional addresses that have relatively short lifetimes
used as the source address when originating connections

40. Create Address w/ RA prefix Create Address w/ RA prefix✔
= Default
WinPC
Randomize identifier (Interface ID)
enabled  Random 64 bits ✔
disabled  EUI-64
Privacy (Temporary Address)
enabled  Temporary Address ✔
disabled  No Temporary Address
SLAAC
Prefix for GUA
Interface ID
Prefix for GUA
Interface ID
RA Message
Prefix & A flag = 1
Create Address w/ RA prefix
Randomize identifier
Create Address w/ RA prefix
Random 64 bits
Public Address
Temporary Address
A device implementing the SLAAC privacy extensions means the
following:
The public address can use a randomized Interface ID instead of EUI-64. (Public addresses can also use EUI-64 as an option.)
Temporary addresses can be generated and use only a randomized Interface ID.
These addresses are in addition to the public address.

41. Windows Default: Privacy Extension
Randomized Interface ID in Public Address
WinPC> netsh interface ipv6 set global randomizeidentifiers=enabled store=active
Ok.
WinPC> netsh interface ipv6 set global randomizeidentifiers=enabled store=persistent
WinPC> ipconfig
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address : 2001:db8:cafe:1:d0f8:9ff6:4201:7086
Temporary IPv6 Address : 2001:db8:cafe:1:78bd:10b0:aa92:62c
Link-local IPv6 Address : fe80::d0f8:9ff6:4201:7086%11
Randomized Interface IDs

42. Windows Default: Privacy Extension
Temporary Address
C:\> netsh interface ipv6 set privacy state=enabled store=active
C:\> netsh interface ipv6 set privacy state=enabled store=persistent
WinPC> ipconfig
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address : 2001:db8:cafe:1:d0f8:9ff6:4201:7086
Temporary IPv6 Address : 2001:db8:cafe:1:78bd:10b0:aa92:62c
Link-local IPv6 Address : fe80::d0f8:9ff6:4201:7086%11
Temporary Address – only has randomized Interface ID

43. Windows: Temporary Address Disabled
We will see how the RA can influence this as well (DHCPv6 chapter)
C:\> netsh interface ipv6 set privacy state=disabled store=active
C:\> netsh interface ipv6 set privacy state=disabled store=persistent
Note: Use disabled to prohibit Windows from creating a Temporary addres
WinPC> ipconfig
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address : 2001:db8:cafe:1:d0f8:9ff6:4201:7086
Link-local IPv6 Address : fe80::d0f8:9ff6:4201:7086%11
No Temporary Address

44. Autoconfigured Address States and Lifetimes

45. Valid Tentative (DAD) Preferred Deprecated Invalid Time
Address created using SLAAC
Can create new connections
Cannot create new connections
No connections
Valid
Tentative
(DAD)
Preferred
Deprecated
Invalid
Time
Preferred Lifetime
Valid Lifetime

46. Tentative address:
The uniqueness of the address is in the process of being verified.
Not considered to be assigned to an interface.
An interface discards received packets addressed to a tentative address but accepts Neighbor Discovery packets related to Duplicate Address Detection for the tentative address.

47. ICMPv6 Duplicate Address Detection (DAD)
Link-local - fe80::1111:2222:3333:4444
See the process with:
R1# debug ipv6 nd
Neighbor Solicitation
Hopefully no
Neighbor Advertisement
Duplicate Address Detection (DAD) is used to guarantee that an IPv6 unicast address is unique on the link.
A device will send a Neighbor Solicitation for its own unicast address (static or dynamic).
After a period of time, if a NA is not received, then the address is deemed unique.
Once required, RFC was updated to where it is only recommended - /64 Interface ID makes duplicates unlikely!

48. Valid address:
The address is a preferred or deprecated address.
A valid address can be the source or destination address of a packet.
The amount of time remains in the valid and preferred states is in the RA message.
2,592,000 seconds equals 30 days.
Valid Lifetime:
This is the length of time an address remains in the valid state.
The Valid Lifetime must be greater than or equal to the Preferred Lifetime.
When the Valid Lifetime expires, the address becomes invalid.

49. Preferred address:
The interface address has been verified as unique.
The device can send and receive traffic using this address.
New connections can be initiated using a preferred address as the source address.
The period of time that an address can remain in the preferred state is included in the RA message.
604,800 seconds equals 7 days.
Preferred Lifetime:
This is the length of time a valid address is preferred until it becomes deprecated.
When the Preferred Lifetime expires, the address becomes deprecated.

50. Deprecated address:
The address assigned to an interface is still valid, but implementation is discouraged. (Typically applies to temporary addresses, not public addresses)
A deprecated address should no longer be used as a source address in new communications, but …
… packets sent from or to deprecated addresses are delivered as expected.
A deprecated address can continue to be used as a source address in existing communications where changing to a preferred address might cause a problem with specific upper-layer activity, such as an existing TCP connection.

51. Invalid address:
A valid address becomes invalid when its Valid Lifetime expires.
Invalid addresses should not appear as the destination or source address of a packet.

52. R1(config)# ipv6 unicast-routing
R1(config)# exit
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 18:34:52.494: ICMPv6-ND: MTU = 1500
*Nov 27 18:34:52.494: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800
<output omitted for brevity>
R1# undebug all

53. Example: Autoconfigured Address States and Lifetimes

54. New GUA Address: Tentative
Link-local:
Tentative
Duplicate Address
DAD Unsuccessful 1
DAD Successful: Link-local Address Valid/Preferred 2
Router Solicitation Sent
Router Advertisement Received
New GUA Address: Tentative
Duplicate Address
DAD Unsuccessful 3
DAD Successful
Valid 4 5 6 7 8
Preferred
Deprecated
Invalid
Preferred Lifetime Expires
Valid Lifetime Expires
Public Address
New RA Received

55. 1
WinPC creates a link-local address, fe80::d0f8:9ff6:4201:7086, and performs Duplicate Address Detection (DAD) to ensure that the address is unique.
During the DAD process, the link-local address is in tentative state (tentative address).
Once the address is determined to be unique, the link-local address transitions to the valid/preferred state.
Because a link-local address is not used for communications beyond the link, there are not the same privacy concerns as with a global unicast address.
Therefore, the Valid Lifetime and Preferred Lifetime are set to infinite.
The link-local address remains in the preferred valid state indefinitely.
In Windows, the Interface ID is created using a randomized Interface ID.

56. WinPC> netsh interface ipv6 show address 11
Address fe80::d0f8:9ff6:4201:7086%11 Parameters
Interface Luid : Local Area Connection
Scope Id : 0.11
Valid Lifetime : infinite
Preferred Lifetime : infinite
DAD State : Preferred
Address Type : Other
Skip as Source : false

57. 2
WinPC (RS Message):
Using the link-local address as the source IPv6 address, WinPC sends a Router Solicitation message requesting a Router Advertisement. (RA messages are also sent periodically.)
Router R1 (RA Message):
Router R1, the local router for WinPC, sends the Router Advertisement message with the prefix 2001:db8:cafe:1::/64 and the Valid Lifetime and Preferred Lifetime set to /

58. 3
SLAAC:
Devices use the information in the RA to generate one or more routable address.
Using the prefix in R1’s RA, WinPC creates two addresses using SLAAC:
Public IPv6 address: 2001:db8:cafe:1:d0f8:9ff6:4201:7086 (address for others to connect to – needs to be more permanent)
Temporary IPv6 address: 2001:db8:cafe:1:78bd:10b0:aa92:62c (source address used when initiating the connection – needs to change more often)
Both of these addresses are initially put in the tentative state while DAD is performed to ensure their uniqueness.
Windows: Both addresses use randomized Interface IDs.
The prefix 2001:db8:cafe:1::/64 has the L flag set to 1, which indicates to the WinPC that this prefix is on-link.
2001:db8:cafe:1::/64 is the on-link prefix for both addresses.
Any packets with a destination IPv6 using this prefix can be sent directly to the device.

59. Public IPv6 Address
Used by other devices for reaching this device
Created using SLAAC
Interface ID is EUI-64 or random (host is implementing privacy extension)
Valid/Preferred timers set by RA
Valid/Preferred timers reset by RA
Typically stays in Preferred state (permanent)
RA Message: Valid/Preferred Timers
Destination: Public IPv6 Address
Temporary IPv6 Address
Used as a source address when initiating the connection
Created using SLAAC
Host is implementing privacy extension
Interface ID is random only
Valid/Preferred timers set by host OS (not RA)
Valid/Preferred timers are NOT reset by RA
When deprecate state, new temporary address is created.
Will eventually become invalid (not used)
Source: Temporary IPv6 Address

60. 4
Valid/Preferred:
Once DAD determines that these addresses are unique, the addresses transition from the tentative to the valid/preferred state.

61. 5
Public Address:
The public address uses the Valid Lifetime and Preferred Lifetime in the Router Advertisement—30 days (2,592,000 seconds) and 7 days (604,800 seconds), respectively.
Each time the host receives an RA, the Valid Lifetime and Preferred Lifetime are reset to the value in the RA. (The address will continue to be preferred – reachable from the outside)

62. WinPC> netsh interface ipv6 show address 11
Address 2001:db8:cafe:1:d0f8:9ff6:4201:7086 Parameters
Interface Luid : Local Area Connection
Scope Id : 0.0
Valid Lifetime : 29d23h59m32s
Preferred Lifetime : 6d23h59m32s
DAD State : Preferred
Address Type : Public
Skip as Source : false
Depending on the values of the lifetimes in the RA, the actual lifetimes used by a host may differ from those in the RA.
Valid and preferred lifetimes are refreshed every 200 seconds by the RA

63. 6
Temporary Address:
A temporary address typically has a shorter lifetime than a public address.
OS dependent - Windows defaults to a Valid Lifetime and Preferred Lifetime of 7 days ( seconds).
Unlike for a public address, the Preferred Lifetime is not reset when another RA is received. (This may change… beyond scope.)
The device continues to decrement the Preferred Lifetime of the temporary address until it becomes deprecated.

64. WinPC> netsh interface ipv6 show address 11
Address 2001:db8:cafe:1:78bd:10b0:aa92:62c Parameters
Interface Luid : Local Area Connection
Scope Id : 0.0
Valid Lifetime : 6d23h59m32s
Preferred Lifetime : 6d23h59m32s
DAD State : Preferred
Address Type : Temporary
Skip as Source : false
Valid and preferred lifetimes are NOT refreshed by the RA and will either become deprecated or new temp address when rebooted

65. 7
Deprecated Address:
After a Preferred Lifetime expires, the address state becomes deprecated, and no new connections should be made using this address.
When a temporary address becomes deprecated, a new temporary address must be generated.
In normal operations, there should be no more than one temporary address that is in the valid/preferred state.

66. 8
Invalid:
If no new RA is received, the Valid Lifetime (temporary address) eventually expires, and the address becomes invalid.
The address is then removed from the interface.

67. Examining the ICMPv6 Router Advertisement Message in Wireshark (Chapter specific fields)

68. The ICMPv6 message is encapsulated in an IPv6 header:
Dest. Add.
ff02::1
Source Add.
fe80::1
Next Header 58
ICMPv6 Header
Data
The ICMPv6 message is encapsulated in an IPv6 header:
Source Address: fe80::1 (link-local address of R1)
Destination Address: ff02::1 (all-IPv6 devices multicast group or a solicited unicast)
Next Header: 0x3a (an ICMPv6 header, 58 in decimal)

69. Indicates this is a Router Advertisement message.
Internet Control Message Protocol v6
Type: Router Advertisement (134)
Code: 0
Checksum: 0xcaf0 [correct]
Cur hop limit: 64
Flags: 0xc0
= Managed address configuration: Not set
= Other configuration: Not set
= Home Agent: Not set
= Prf (Default Router Preference): Medium (0)
= Proxy: Not set
= Reserved: 0
Router lifetime (s): 1800
Reachable time (ms): 0
Retrans timer (ms): 0
<Continued next slide>
Type (134):
Indicates this is a Router Advertisement message.
Cur Hop Limit (64):
The value the router recommends for hosts on the network to use as the Hop Limit field in their IPv6 packets.
A value of 0 means that the router is not recommending a hop limit and that the host’s operating system should determine its own value.
The default is 64.

70. Managed Address Configuration flag (M flag) (0):
Internet Control Message Protocol v6
Type: Router Advertisement (134)
Code: 0
Checksum: 0xcaf0 [correct]
Cur hop limit: 64
Flags: 0xc0
= Managed address configuration: Not set
= Other configuration: Not set
= Home Agent: Not set
= Prf (Default Router Preference): Medium (0)
= Proxy: Not set
= Reserved: 0
Router lifetime (s): 1800
Reachable time (ms): 0
Retrans timer (ms): 0
<Continued next slide>
Managed Address Configuration flag (M flag) (0):
When set to 1, this tells the host to use stateful configuration (DHCPv6). The default is 0.
Other Configuration flag (O flag) (0):
When set to 1, this tells the host that additional information is available from the DHCPv6 server, such as a domain name or DNS-related information. The default is 0.

71. Default Router Preference (Medium):
Internet Control Message Protocol v6
Type: Router Advertisement (134)
Code: 0
Checksum: 0xcaf0 [correct]
Cur hop limit: 64
Flags: 0xc0
= Managed address configuration: Not set
= Other configuration: Not set
= Home Agent: Not set
= Prf (Default Router Preference): Medium (0)
= Proxy: Not set
= Reserved: 0
Router lifetime (s): 1800
Reachable time (ms): 0
Retrans timer (ms): 0
<Continued next slide>
Default Router Preference (Medium):
When receiving RA messages from multiple routers, the Default Router Preference (DRP) is used to determine which router to prefer as the default gateway.
The preference values are High (01), Medium (00), Low (11), and Reserved (10).
If the DRP values are equal, the host uses the source address from the first RA message it received as its default gateway.
The default is Medium.

72. A lifetime of 0 indicates that the router is not a default gateway.
Internet Control Message Protocol v6
Type: Router Advertisement (134)
Code: 0
Checksum: 0xcaf0 [correct]
Cur hop limit: 64
Flags: 0xc0
= Managed address configuration: Not set
= Other configuration: Not set
= Home Agent: Not set
= Prf (Default Router Preference): Medium (0)
= Proxy: Not set
= Reserved: 0
Router lifetime (s): 1800
Reachable time (ms): 0
Retrans timer (ms): 0
<Continued next slide>
Router Lifetime (1800):
Duration, in seconds, for which the router should be used as the default gateway.
A lifetime of 0 indicates that the router is not a default gateway.
The Router Lifetime applies only to the router’s function as a default gateway.
The host refreshes its own timer every time it receives a Router Advertisement.
The default is 1800 (seconds).

73. (Source) Link Layer Address (58:ac:78:93:da:00):
<Continued from previous slide>
ICMPv6 Option (Source link-layer address : 58:ac:78:93:da:00)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: 58:ac:78:93:da:00 (58:ac:78:93:da:00)
ICMPv6 Option (MTU : 1500)
Type MTU (5)
Reserved
MTU: 1500
ICMPv6 Option (Prefix information : 2001:db8:cafe:1::/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0
= On-link flag(L): Set
= Autonomous address-configuration flag(A): Set
= Router address flag(R): Not set
= Reserved: 0
Valid Lifetime:
Preferred Lifetime:
Prefix: 2001:db8:cafe:1:: (2001:db8:cafe:1::)
(Source) Link Layer Address (58:ac:78:93:da:00):
This is the Layer 2 link layer (data link layer) address of the sender.
MTU (1500):
This informs hosts of the maximum transmission unit (MTU) for the network.
Hosts use this information to maximize the size of the IPv6 packet.

74. It also assists with address autoconfiguration.
<Continued from previous slide>
ICMPv6 Option (Source link-layer address : 58:ac:78:93:da:00)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: 58:ac:78:93:da:00 (58:ac:78:93:da:00)
ICMPv6 Option (MTU : 1500)
Type MTU (5)
Reserved
MTU: 1500
ICMPv6 Option (Prefix information : 2001:db8:cafe:1::/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0
= On-link flag(L): Set
= Autonomous address-configuration flag(A): Set
= Router address flag(R): Not set
= Reserved: 0
Valid Lifetime:
Preferred Lifetime:
Prefix: 2001:db8:cafe:1:: (2001:db8:cafe:1::)
Prefix Length (64):
The Prefix Length field provides necessary information for on-link determination (when combined with the L flag in the prefix information option).
It also assists with address autoconfiguration.

75. On-Link flag (L flag) (1):
<Continued from previous slide>
ICMPv6 Option (Source link-layer address : 58:ac:78:93:da:00)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: 58:ac:78:93:da:00 (58:ac:78:93:da:00)
ICMPv6 Option (MTU : 1500)
Type MTU (5)
Reserved
MTU: 1500
ICMPv6 Option (Prefix information : 2001:db8:cafe:1::/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0
= On-link flag(L): Set
= Autonomous address-configuration flag(A): Set
= Router address flag(R): Not set
= Reserved: 0
Valid Lifetime:
Preferred Lifetime:
Prefix: 2001:db8:cafe:1:: (2001:db8:cafe:1::)
On-Link flag (L flag) (1):
When set to 1, this indicates that the prefix can be used for on-link determination - the prefix advertised in the RA is on this link (subnet).
When it is not set, the advertisement makes no statement about on-link or off-link properties of the prefix.
The default is 1.
Autonomous Address Configuration flag (A flag) (1):
When this flag is set to 1 (on), it tells the receiving host to use SLAAC to create its global unicast address.

76. Length of time an address remains in the valid state.
<Continued from previous slide>
ICMPv6 Option (Source link-layer address : 58:ac:78:93:da:00)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: 58:ac:78:93:da:00 (58:ac:78:93:da:00)
ICMPv6 Option (MTU : 1500)
Type MTU (5)
Reserved
MTU: 1500
ICMPv6 Option (Prefix information : 2001:db8:cafe:1::/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0
= On-link flag(L): Set
= Autonomous address-configuration flag(A): Set
= Router address flag(R): Not set
= Reserved: 0
Valid Lifetime:
Preferred Lifetime:
Prefix: 2001:db8:cafe:1:: (2001:db8:cafe:1::)
Valid Lifetime ( ):
Length of time an address remains in the valid state.
The default is 2,592,000 seconds (30 days).
Preferred Lifetime (604800):
This is the length of time a valid address is preferred.
When the Preferred Lifetime expires, the address becomes deprecated.
The default is 604,800 seconds (7 days).

77. Prefix (2001:db8:cafe:1::):
<Continued from previous slide>
ICMPv6 Option (Source link-layer address : 58:ac:78:93:da:00)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: 58:ac:78:93:da:00 (58:ac:78:93:da:00)
ICMPv6 Option (MTU : 1500)
Type MTU (5)
Reserved
MTU: 1500
ICMPv6 Option (Prefix information : 2001:db8:cafe:1::/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0
= On-link flag(L): Set
= Autonomous address-configuration flag(A): Set
= Router address flag(R): Not set
= Reserved: 0
Valid Lifetime:
Preferred Lifetime:
Prefix: 2001:db8:cafe:1:: (2001:db8:cafe:1::)
Prefix (2001:db8:cafe:1::):
This notifies the host of the prefix that can be used for Stateless Address Autoconfiguration
Used as an on-link prefix when the L flag is set to 1.

78. Modifying the RA Message

79. Modifying the Valid Lifetime and Preferred Lifetime in the RA Message
The default Valid Lifetime and Preferred Lifetime that are sent in the Router
Advertisement message can be modified using the interface command:
Router(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length [valid-lifetime]
[preferred-lifetime]

80. R1(config)# interface gigabitethernet 0/0
R1(config-if)# ipv6 nd prefix 2001:db8:cafe:1::/
R1(config-if)# end
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Nov 27 20:12:50.490: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Nov 27 20:12:50.490: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Nov 27 20:12:50.490: ICMPv6-ND: MTU = 1500
*Nov 27 20:12:50.490: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /172800
<output omitted for brevity>
R1# undebug all
The Valid Lifetime and Preferred Lifetime for R1’s G0/0 Router Advertisement message are modified to 15 days (1,296,000 seconds) and 2 days (172,800 seconds), respectively.

81. Including the DNS Address in the RA Message
DNS server addresses are not included in the RA by default.
The RA message must be configured to include these addresses.
RFC 6106, IPv6 Router Advertisement Options for DNS Configuration, defines the Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) options in the Router Advertisement.
Prior to RFC 6106, DNS addresses could only be obtained using stateless or stateful DHCPv6.

82. Including the DNS Address in the RA Message
To configure a Cisco router to include a list of DNS servers in its Router Advertisement, use the interface command:
Router(config-if)# ipv6 nd ra dns server ipv6-address dns-lifetime
Up to eight DNS server addresses can be included.
dns-lifetime is the amount of time (in seconds) that the DNS server is advertised in the RA message.
The range is from 200 to 4,294,967,295 seconds, with a default of 400 seconds.

83. R1(config)# interface gigabitethernet 0/0
R1(config-if)# ipv6 nd ra dns server 2001:db8:cafe:99::9999
R1(config-if)# end
R1# debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R1#
*Dec 3 16:14:04.647: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) send RA to FF02::1
*Dec 3 16:14:04.647: ICMPv6-ND: (GigabitEthernet0/0,FE80::1) Sending RA (1800) to FF02::1
*Dec 3 16:14:04.647: ICMPv6-ND: MTU = 1500
*Dec 3 16:14:04.647: ICMPv6-ND: DNS lifetime 400
*Dec 3 16:14:04.647: ICMPv6-ND: server 2001:DB8:CAFE:99::9999
*Dec 3 16:14:04.647: ICMPv6-ND: prefix 2001:DB8:CAFE:1::/64 [LA] /604800

84. Wireshark Output
Internet Control Message Protocol v6
Type: Router Advertisement (134)
<output omitted for brevity>
ICMPv6 Option (Recursive DNS Server 2001:db9:cafe:99::99)
Type: Recursive DNS Server (25)
Length: 3 (24 bytes)
Reserved
Lifetime: 400
Recursive DNS Servers: 2001:db9:cafe:99::99 (2001:db9:cafe:99::99)
It is important that both the router sending the RA message and the devices using the RA for SLAAC support RFC 6106.
To cover all bases, some implementations send the DNS server address in the RA and also use stateless DHCPv6 to advertise the DNS address.
This provides a transition for operating systems that do not yet support RFC 6106.

85. Router Advertisement Configuration Commands
Some of these commands, along with other previously covered will be discussed in later chapters.

89. Default Address Selection

90. IPv6 addressing architecture allows for multiple unicast addresses to be assigned to the same interface.
These addresses may differ in the following ways:
Scope (link-local, global, and etc)
Public or temporary
Preferred or deprecated
Home address” or “care-of address” (used for mobility)
As a result, at times IPv6 devices must decide among multiple source addresses.
It is necessary to have algorithms for selecting the proper address so developers and administrators can predict the behavior of their systems.
This process is defined in RFC 6724, Default Address Selection for Internet Protocol Version 6 (IPv6).

91. When there is more than one possible source address, the source address selection produces a single source IPv6 address for a given destination IPv6 address.
The algorithm uses pairwise comparison rules between the source addresses.
There are eight rules, applied in the following order:
■ Rule 1: Prefer same address: Prefer the same address if the source and destination addresses are the same. For example, if you have WinPC ping itself, it should use the same address for the source address that it uses for the destination address.
■ Rule 2: Prefer appropriate scope: Prefer address pairs that are of the same scope or type (link-local, global, and so on). For example, if WinPC pings the link-local address of router R1, it should use its own link-local address as the source address.

92. ■ Rule 3: Avoid deprecated addresses: A preferred (non-deprecated) address is
preferred over a deprecated address. Deprecated addresses need to be avoided and used only to continue existing communications. If WinPC has both a preferred and deprecated address on the same interface, it should use the preferred address when initiating any new communications.
■ Rule 4: Prefer home addresses (mobility): Prefer a home address to a care-of address. A home address is an IPv6 address assigned to a mobile node and used as the permanent address. This is the “normal” permanent IPv6 address used by the device on its home network. Packets sent to this device are always sent to the home address.
A care-of address is a secondary, temporary IPv6 address associated with a mobile node when visiting a foreign link, away from its home link. When a mobile node is on its home link, it might have an address that is both its home address and a care-of
address.

93. ■ Rule 5: Prefer outgoing interface: Prefer a source address that is on the same
outgoing interface used to forward the packet. In other words, this rule favors a
source address that is on the same interface that will be used to send the packet to
the destination address.
■ Rule 6: Prefer matching label: The default policy table is a longest-matching-prefix lookup table, much like a routing table. The table includes the prefix, precedence, and a label. The precedence is used to sort the table by destination address. The label is used by policies to prefer a specific source address prefix for use with a destination address prefix. These are addresses with the same label. This results in the preference of using native source addresses with native destination addresses, such as 6to4 source addresses with 6to4 destination addresses.

94. ■ Rule 7: Prefer temporary addresses: This rule gives preference to privacy addresses, preferring a temporary address to a public address. For example, WinPC is initiating communications with LinuxPC. Because WinPC implements the privacy extension, it uses its temporary address in preferred state as the source address.
■ Rule 8: Use longest prefix matching: Given a common prefix length, the rule
prefers the address with the longest matching prefix. For example, PC-1 has two
GUA addresses on its interface: 2001:db8:cafe:1001::1/64 (source address A)
and 2001:db8:cafe:1fff::1/64 (source address B). PC-1 is going to ping PC-2 at
2001:db8:cafe:1000::1. PC-2’s 2001:db8:cafe: matches both of PC-1’s addresses, but looking at the fourth hextet in binary, we can see that 2001:db8:cafe:1001::1 is a longer prefix match.

95. Ch.9 Stateless Address Autoconfiguration (SLAAC)
CIS 116 IPv6 Fundamentals
Rick Graziani
Cabrillo College