Navigating IPv6 Address Configuration: SLAAC, Stateful DHCPv6, and Stateless DHCP
With a plethora of address configuration options available, it's essential to understand the nuances of each method. In this blog post, we'll dive into the relaxed yet professional exploration of SLAAC, Stateful DHCPv6, and Stateless DHCP, shedding light on their differences and applications.
Comparison to IPv4
The choices for client addressing are pretty limited in the world of IPv4, DHCP or manual configuration. BOOTP was an option in the early days but its use is extremely limited to nonexistent anymore. As for DHCP, your options are fairly limited, you can host the DHCP server directly on your network equipment or relay it to a centralized server for easier management.
IPv6 changed the script a bit when it came to dynamic client addressing. ICMPv6 expanded its capabilities from its IPv4 counterpart to include the functionality that was previously performed by ARP and DHCP.
Regardless of the client addressing strategy presented below, they all start with a router advertisement packet to get started. Before a router advertisement packet can be solicited or received, the client needs to create a link-local address.
At first, it sounds like a chicken or the egg problem, creating an address to get a different address, but hopefully I can demystify the problem here.
To create a link-local address, the client uses their interface MAC address (EUI-48 address) to create an EUI-64 address and add it to the globally reserved link-local subnet prefix. That process is:
1. Flip the 7th bit or the global bit of the MAC address, for example: 1234:5678:9012->1034:5678:9012
2. Split the address in two and pad it with “FFF0”, for example: 1034:5678:9012->1034:56ff:f078:9012
3. Prepend the link-local prefix of “FE80::/10” to create a link-local address, for example FE80::1034:56FF:F078:9012
4. Perform a duplicate address detection check using the new address.
This address is not enough for a machine to correctly forward traffic alone and needs to be paired with an outgoing interface to function.
Link-local addresses are used for communicating to other devices on the local LAN segment such as Neighbor Discovery messages, DHCP. The link-local address is even used as the default-gateway for clients on the network as this is communicated in the router advertisement messages.
One final change to client addressing in IPv6 is the ability to configure multiple addresses. While you can configure multiple IPv4 addresses, it’s uncommon. It’s not uncommon to configure multiple IPv6 addresses on an interface in IPv6 and even use multiple client configuration methods depending on organizational and client needs.
Understanding SLAAC
SLAAC, or Stateless Address Autoconfiguration, stands as a beacon of simplicity in the IPv6 landscape. This mechanism enables devices to generate their own unique IPv6 addresses without relying on external servers. Using the prefix information provided by routers through Router Advertisement (RA) messages, devices append their interface identifier to create a complete IPv6 address.
SLAAC uses the RA option header to communicate DNS server and DNS search list information. This method is call RDNSS, or recursive DNS server.
Pros:
Efficiency: SLAAC is efficient in scenarios where simplicity and autonomy are valued. Devices can configure their addresses without relying on a centralized DHCP server.
Scalability: As a stateless method, SLAAC scales well in large networks, reducing the burden on DHCP servers.
Cons:
Limited Control: The autonomy of SLAAC may be a drawback in environments where centralized control over address assignment is critical. Changing configured DNS servers or search domains requires changing the configuration on routers rather than a centralized server.
Security Concerns: The lack of centralized management raises security concerns, as rogue devices might exploit the simplicity of SLAAC. Deploying 802.1X will ensure that only authorized devices are allowed onto sensitive networks.
Limited Options: As I’ll discuss below, the perk of DHCP is that it can pass many options to clients that router advertisements cannot. TFTP server addresses for phones, controller information for wireless access-points, proxy information, and more cannot be included in the RA message. The
Configuring SLAAC on Cisco IOS-XE
! Enable IPv6 routing on the interface interface GigabitEthernet2 ipv6 address 2001:db8:22::1/64 ! Configure DNS Servers via RDNSS on the interface ipv6 nd ra dns server 2001:4860:4860::8888 200 ipv6 nd ra dns server 2001:4860:4860::8844 200 ! ! Configure DNS search list attribute ipv6 nd ra dns-search-list domain thisbridgeistheroot.com
Autoconfig is enabled by default on Cisco ethernet interface for any /64 subnet configured. The router will periodically send router advertisements and respond to any router solicitation messages it receives. You may want to disable autoconfig for multiple reasons, maybe you do not want this router to solicit traffic from users, or you may prefer to use DHCPv6 only on the interface. In either case, there are a couple of ways of solving the issue.
By turning off autoconfig, RA packets will be sent with the A-bit cleared in the prefix option header. This is preferred for instances where you would prefer to assign all addresses using DHCPv6.
ipv6 nd prefix default no-autoconfig
In cases where you would like to disable the router from sending router advertisement packets altogether, you need to suppress the packet.
ipv6 nd ra suppress all
Using the command without the “all” keyword at the end will disable periodic RA messages but will allow the router to respond to router solicitation messages.
SLAAC Verification Commands
Use the below output to view configured RA options across all configured interfaces.
Customer1#show ipv6 nd ra dns server Recursive DNS Server on: GigabitEthernet2 DNS Server: 2001:4860:4860::8888 Lifetime: 200 seconds (configured) DNS Server: 2001:4860:4860::8844 Lifetime: 200 seconds (configured) Customer1#show ipv6 nd ra dns-search-list DNS Search List on: GigabitEthernet2 DNS search-list: thisbridgeistheroot.com Lifetime: 600 seconds(default)
In the show command below, this is after I’ve suppressed router advertisements. You can see that reflected in the second to last line of the show ipv6 interface output.
Customer1#show ipv6 interface g2 GigabitEthernet2 is up, line protocol is up IPv6 is enabled, link-local address is FE80::5054:FF:FE1D:97B6 No Virtual link-local address(es): General-prefix in use for addressing No global unicast address is configured Joined group address(es): FF02::1 FF02::2 FF02::1:FF1D:97B6 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND RAs are suppressed (all) Hosts use stateless autoconfig for addresses.
SLAAC Packet Capture
Here’s a packet capture of a router solicitation and router advertisement from my lab. You’ll notice that additionally there is a neighbor solicitation packet from the client, this is it checking for DAD.
Stateful DHCPv6
Stateful DHCPv6, as the name suggests, brings an element of centralization and statefulness to IPv6 address configuration. Devices request and receive specific IPv6 addresses from a DHCPv6 server, which maintains a record of assigned addresses and manages the overall address space.
Pros:
Centralized Control: Stateful DHCPv6 offers network administrators greater control over address assignments, ensuring a more structured and organized network.
Enhanced Logging: The DHCPv6 server logs provide a comprehensive record of address assignments, aiding troubleshooting and auditing efforts.
Cons:
Complexity: Implementing Stateful DHCPv6 introduces additional complexity to the network architecture, potentially leading to increased maintenance overhead.
Dependency: Relying on a central server implies that network functionality is partially dependent on the availability and health of the DHCPv6 server.
Operability: Unfortunately, Android does not maintain support for DHCPv6 due to a “difference in philosophy” from one of the main architects of the operating system’s network stack. Fortunately, some manufacturers have added support in their distributions, but this is not true of the entirety of the operating system. This issue will likely force most enterprise networks to opt for either SLAAC only or a combination of SLAAC and DHCPv6.
Interestingly, DHCPv6, stateful or stateless, do not configure the default-router address in the same way that IPv4 DHCP does. This address is configured via the router advertisement packet in all circumstances.
Configuring Stateful DHCPv6 on Cisco IOS-XE
! Configure the DHCPv6 server ipv6 dhcp pool DHCPv6-Pool address prefix 2001:db8:22::/64 domain-name thisbridgeistheroot.com dns-server 2001:4860:4860::8888 dns-server 2001:4860:4860::8844 exit ! Apply the DHCPv6 pool to the interface interface GigabitEthernet2 ipv6 address 2001:db8:22::1/64 ipv6 nd prefix default no-autoconfig ipv6 dhcp server DHCPv6-Pool ipv6 nd managed-config-flag
Stateful DHCP Verification Commands
Stateless DHCP
Stateless DHCP strikes a balance between autonomy and centralization. While devices autonomously configure their addresses using SLAAC, they still leverage Stateless DHCP for additional configuration parameters such as DNS server information or domain search lists.
Pros:
Configuration Flexibility: Stateless DHCP provides the flexibility to distribute supplementary configuration information without dictating the device's primary address assignment.
Enhanced Network Management: Administrators can fine-tune specific parameters for devices without the overhead of managing all aspects of address assignment.
Cons:
Operational Overhead: Stateless DHCP introduces additional operational complexity compared to SLAAC alone, as administrators must manage both the stateless and stateful aspects of configuration.
Configuring Stateless DHCPv6 on Cisco IOS-XE
Stateless DHCP is communicated to the client using the “Other” config flag in the router advertisement packet. When set, the client should set their IPv6 address using either the EUI-64 process as outlined above in the SLAAC section or using privacy extensions as outlined below. The client should then request address options through DHCPv6.
! Configure the DHCPv6 server ipv6 dhcp pool Stateless-DHCPv6-Pool address prefix 2001:DB8::/64 domain-name thisbridgeistheroot.com exit ! Apply the DHCP pool to the interface interface GigabitEthernet0/0 ipv6 nd other-config-flag ipv6 dhcp server Stateless-DHCPv6-Pool
Privacy Extensions
IPv6 Privacy Extensions, also known as IPv6 Temporary Addresses, are a feature designed to enhance privacy for devices on IPv6 networks. In traditional IPv6 Stateless Address Autoconfiguration (SLAAC), devices typically use their Interface Identifier (IID) to form their IPv6 addresses based on the underlying link-layer address (e.g., MAC address). However, this method raises concerns about user privacy and tracking, as the MAC address remains relatively constant and can be used to identify and trace a device over time. Read up on privacy extensions in RFC 4941.
IPv6 Privacy Extensions address this privacy concern by introducing a mechanism that periodically generates temporary, randomized IPv6 addresses in addition to the traditional stable addresses. These temporary addresses help mitigate the risk of device tracking based on the Interface Identifier.
Randomized Interface Identifiers: Instead of using a predictable algorithm based on the device's MAC address, Privacy Extensions generate random Interface Identifiers. This randomness makes it more challenging to trace a device's activities based on its IPv6 address.
Temporary Address Lifetimes: Privacy Extensions assign temporary addresses a limited lifetime. After a certain period, these addresses expire, and new temporary addresses are generated. This periodic address rotation adds an extra layer of privacy for users.
Stable Addresses: In addition to temporary addresses, devices continue to use stable addresses generated from the MAC address. This ensures compatibility with existing network applications and services while providing the option for users to maintain a level of privacy.
Configuration: IPv6 Privacy Extensions can be configured on a per-interface basis, allowing administrators to enable or disable the feature as needed.
In summary, IPv6 Privacy Extensions enhance user privacy by introducing randomness and periodic address changes into the IPv6 address generation process. This helps prevent long-term tracking of devices based on their IPv6 addresses, offering a more privacy-conscious approach in the evolving landscape of network technologies.
Summary
IPv6 autoconfig takes a bit of getting used to when coming from an IPv4 world. There’s more options available to us that aren’t always clear to their intended usage. It’s very tempting to reach for stateful DHCPv6, as it’s what we’re most familiar with in the IPv4 world but the answer is not as clear cut as maybe it could or should be. For most networks, SLAAC will likely provide sufficient functionality and the widest compatibility, but for enterprise networks that need additional features, stateful or stateless DHCP will be the answer. For other organizations, they may opt for running both stateful DHCP and SLAAC simultaneously.
