ipv6 slaac and dhcpv6.pptx
TRANSCRIPT
©
Shameless plug:
IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58714-313-5
IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58720-457-6
STEAL MY STUFF!
Username = ciscoPassword = perlman
www.cabrillo.edu/~rgraziani/ipv6.html
©
Hey! I can do that!
Stateful vs Stateless
• Stateful – Some server is keeping track or a record of the interaction.• Stateless – No one is keeping track or a record…. But I can still make sure
mine is unique.
DHCPv6 Server
STATEFUL: I need an IPv6 address
from someone who is keeping track of
who has what address.
I might not even be needed.
STATELESS: I will come up with my own IPv6 address…. No
one will keep track of what address I have.
©
Dynamic IPv6 Address Allocation
Global Unicast
Manual Dynamic
Static IPv6 unnumbered
Static + EUI 64
SLAAC DHCPv6
SLAAC + DHCPv6
Stateless Stateful
DHCPv6-PD
©
DHCP Server
Dynamic IPv4 Address Allocation
DHCP Client
I need an IPv4 addressing information from a DHCP server.
Here is your IPv4 address, subnet mask,
default gateway and DNS server addresses.
©
It Begins with the RA Message
• An ICMPv6 Router Advertisement (RA) suggests to all IPv6 devices on the link how it will receive IPv6 Address Information.
• Sent periodically by an IPv6 router or…• … when the router receives a Router Solicitation message from a host.• Routers can be configured with IPv6 addresses without being an IPv6 router.
DHCPv6 Server
ICMPv6 Router Advertisement
ICMPv6 Router Solicitation
Multicast: To all IPv6 routers, I need
IPv6 address information
Multicast: To all IPv6 devices,
let me tell you how to do this …
I might not even be needed.
Router(config)# ipv6 unicast-routing
©
Routers versus IPv6 Routers
• A router (not enabled as an IPv6 router):• Configure IPv6 addresses• Member of All-IPv6 devices multicast group
• An IPv6 router:• Same as a non-IPv6 router• Member of All-IPv6 routers multicast group• Sends ICMPv6 Router Advertisement messages• Can enable IPv6 routing protocols• Forward IPv6 packets (transiting the router)
Router IPv6 Router
2001:DB8:CAFE:1::1/64FE80::1
2001:DB8:CAFE:1::1/64FE80::1
FF02::1 (All-IPv6 devices) FF02::1 (All-IPv6 devices)FF02::2 (All-IPv6 routers)
ICMPv6 Router Advertisement
Forward IPv6 Packets
RIPng OSPFv3 EIGRP for IPv6
Router(config)# ipv6 unicast-routing
©
Router Advertisement: 3 Options
DHCPv6 Server
RA
Router(config)# ipv6 unicast-routing
Option 1: SLAAC – No DHCPv6 (Default on Cisco routers)“I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address“Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA)Option 3: All addressing except default gateway use DHCPv6“I can’t help you. Ask a DHCPv6 server for all your information.”
DHCPv6
Option 1 and 2: Stateless Address Autoconfiguration• DHCPv6 Server does not maintain state of addressesOption 3: Stateful Address Configuration• Address received from DHCPv6 Server
©
RA Message Options
DHCPv6 Server
ICMPv6 Router AdvertisementOption 1, 2, or 3
Option Other Configuration (“O”) Flag
Managed Configuration (“M”) Flag
Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) 0 0Option 2: SLAAC + Stateless DHCPv6 for DNS address 1 0Option 3: All addressing except default gateway use DHCPv6 0 1
• Configuring Flags discussed in Lesson 8.
The type of Router Advertisement option depends on two RA flags:
©
Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration.
SLAAC Option 1 – RA MessageTo: FF02::1 (All-IPv6 devices)From: FE80::1 (Link-local address)Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64
RA
1
MAC: 00-19-D2-8C-E0-4C
Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64Default Gateway: FE80::1Global Unicast Address:2001:DB8:CAFE:1: + Interface ID
2001:DB8:CAFE:1::/64
EUI-64 Process or Random 64-bit value
2
DHCPv6 Server3
SLAAC: Stateless Address Autoconfiguration
©
SLAAC: Interface ID
Global Routing Prefix 64-bit Interface ID16-bit Subnet ID
/64/48
EUI-64 Process Randomly Generated Number(Privacy Extension)
SLAACOperating System
EUI-64 Random 64-bit
Windows XP, Server 2003 ✔Windows Vista and newer ✔MAC OSX ✔Linux ✔
DHCPv6 Server
Default OS behavior can be changed.
Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik
©
Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration.
SLAAC Option 1 – RA MessageTo: FF02::1 (All-IPv6 devices)From: FE80::1 (Link-local address)Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64
RA
1
MAC: 00-19-D2-8C-E0-4C
Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64Default Gateway: FE80::1Global Unicast Address:2001:DB8:CAFE:1: + Interface ID
2001:DB8:CAFE:1::/64
EUI-64 Process or Random 64-bit value
2
DHCPv6 Server3
SLAAC: EUI-64 Option
©
Modified EUI-64 Format (Extended Unique Identifier–64)
00 19 D2 8C E0 4C
OUI (24 bits) Device Identifier (24 bits)
00 19 D2 8C E0 4CFF FE
19 D2 8C E0 4CFF FE0000 000000 U/L bit flipped
0000 0010
02 19 D2 8C E0 4CFF FE
Insert FF-FE
©
PC> ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection: IPv6 Address. . . . . . . . : 2001:db8:cafe:1:0219:d2ff:fe8c:e04c Link-local IPv6 Address . . : fe80::0219:d2ff:fe8c:e04c Default Gateway . . . . . : fe80::1
Router Advertisement EUI-64
A 64-bit Interface ID and the EUI-64 process accommodates:• The IEEE specification for a 64-bit MAC address• 64-bit boundary processing
Verifying SLAAC on the PC Using
EUI-64
Why. The Dude looking at the red question mark © Copyright jojje11
©
SLAAC: Random 64-bit Interface ID
Global Routing Prefix 64-bit Interface ID16-bit Subnet ID
/64/48
EUI-64 Process Randomly Generated Number(Privacy Extension)
SLAACOperating System
EUI-64 Random 64-bit
Windows XP, Server 2003 ✔Windows Vista and newer ✔MAC OSX ✔Linux ✔
DHCPv6 Server
Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik
©
PC-Windows7> ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection: IPv6 Address. . . . . . . . : 2001:db8:cafe:1:50a5:8a35:a5bb:66e1 Link-local IPv6 Address . . : fe80::50a5:8a35:a5bb:66e1 Default Gateway . . . . . : fe80::1
Router Advertisement EUI-64
Verifying SLAAC on the PC Using
Privacy Extension
No FF-FE
©
SLAAC: Including the DNS Server in the RA *
DNS Server
Router(config)# ipv6 unicast-routing
ICMPv6 Router Advertisement• Prefix and other information
G0/12001:DB8:CAFE:1::/64
Router(config)# ipv6 unicast-routingRouter(config)# interface gigabitethernet 0/1Router(config-if)# ipv6 nd ra dns server 2001:db8:cafe:1::99 600
2001:DB8:CAFE:1::99
Configures a DNS server with an IPv6 address of 2001:DB8::CAFE:1::1 to be advertised in an RA with a lifetime of 600 seconds.
©
Global Unicast - 2001:db8:cafe:1:0219:d2ff:fe8c:e04cLink-local - fe80::50a5:8a35:a5bb:66e1
Neighbor Advertisement?
Neighbor Solicitation
Ensuring Unique Unicast Addresses
Not received = unique addressReceived = duplicate address
• SLAAC is stateless, no entity (DHCPv6 server) maintaining a state address-to-device mappings.
• How can we guarantee the address is unique?• Duplicate Address Detection (DAD)
• Once required for all unicast addresses (static or dynamic), RFC was updated that DAD is only recommended.
• /64 Interface IDs!
©
You Are Probably Already Running IPv6
• Windows Vista or later, Mac OSX, Linux already running IPv6• Potential DoS or MITM attack, even if the router is not IPv6 enabled.• Even if the router is not IPv6 enabled, your clients are mostly like are!• I can still do a DoS attack on clients or perhaps even still to a MITM
attack.• There are mitigation techniques such as RA Guard.
R1Rogue RA
RSIPv4IPv6IPv4
IPv6
IPv4IPv6
I need an IPv6 prefix
Here is an IPv6 prefix
and gateway
People Icon: Occupations set 5 © Copyright Fredy Sujono
©
DHCPv6
Global Unicast
Manual Dynamic
Static IPv6 unnumbered
Static + EUI 64
SLAAC DHCPv6
SLAAC + DHCPv6
Similar to IPv4 unnumbered
Stateless Stateful
DHCPv6-PD
©
RA Message
DHCPv6 Server
RA
Router(config)# ipv6 unicast-routing
Option 1: SLAAC – No DHCPv6 (Default on Cisco routers)“I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address“Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA)Option 3: All addressing except default gateway use DHCPv6“I can’t help you. Ask a DHCPv6 server for all your information.”
DHCPv6
Option 1 and 2: Stateless Address Autoconfiguration• DHCPv6 Server does not maintain state of addressesOption 3: Stateful Address Configuration• Address received from DHCPv6 Server
©
RA Message Options
DHCPv6 Server
ICMPv6 Router AdvertisementOption 1, 2, or 3
Option Other Configuration (“O”) Flag
Managed Configuration (“M”) Flag
Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) 0 0Option 2: SLAAC + Stateless DHCPv6 for DNS address 1 0Option 3: All addressing except default gateway use DHCPv6 0 1
©
StatelessDHCPv6
I created my own address (Stateless),
and have the default gateway, but I need a
DNS address…
IPv6 Router & DHCPv6 Server
Router as a Stateless DHCPv6 Server
ICMPv6 Router Advertisement
• Option 2: Stateless DHCPv6• O Flag = 1, M Flag = 0
ICMPv6 Router Solicitation 1
2Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration.
Stateless DHCP Server
©
Setting the Other Configuration Flag
ICMPv6 Router Advertisement
• Option 2: Stateless DHCPv6• O Flag = 1, M Flag = 0
Router(config)# interface gigabitethernet 0/0Router(config-if)# ipv6 nd other-config-flag
G 0/0
©
RA Message: Stateless DHCPv6To: FF02::1 (All-IPv6 devices)From: FE80::1 (Link-local address)Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64Other Configuration Flag: 1
RA
1
MAC: 00-19-D2-8C-E0-4C
Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64Default Gateway: FE80::1Global Unicast Address:2001:DB8:CAFE:1: + Interface ID
2001:DB8:CAFE:1::/64
EUI-64 Process or Random 64-bit value
2
Stateless DHCPv6 Server3
SLAAC for Addressing & DNS for Other Information
2001:DB8:CAFE:1:6909:cb1c:36a0:a595DHCPv6For DNS
©
Router(config)# ipv6 unicast-routing
Router(config)# ipv6 dhcp pool IPV6-STATELESSRouter(config-dhcpv6)# dns-server 2001:DB8:CAFE:9::99Router(config-dhcpv6)# domain-name www.example.com
Router(config)# interface GigabitEthernet 0/0Router(config-if)# ipv6 address 2001:DB8:CAFE:1::1/64Router(config-if)# ipv6 address FE80::1 link-localRouter(config-if)# ipv6 nd other-config-flagRouter(config-if)# ipv6 dhcp server IPV6-STATELESS
Configuring Router as a Stateless DHCPv6 Server2001:DB8:CAFE:1/64G0/0
:1DNS Server2001:DB8:CAFE:9::99 RA
O = 1DHCPv6
©
PC> ipconfig /all
Physical Address. . . .: 00-21-9B-88-0E-40 IPv6 Address. . . . . .: 2001:db8:cafe:1:6909:cb1c:36a0:a595 Default Gateway . . . .: fe80::1 DNS Servers . . . . . .: 2001:db8:cafe:9::99 Connection-specific DNS Suffix Search List: www.example.com
2001:DB8:CAFE:1/64G0/0:1
DNS Server2001:DB8:CAFE:9::99 RA
O = 1DHCPv6
Verifying Stateless DHCPv6 Server Configuration
Random 64 bits
©
Router# show ipv6 interface gigabitethernet 0/0GigabitEthernet 0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 <Output omitted> Hosts use stateless autoconfig for addresses. Hosts use DHCP to obtain other configuration.Router#
2001:DB8:CAFE:1/64G0/0:1
DNS Server2001:DB8:CAFE:9::99 RA
O = 1DHCPv6
Verifying Stateless DHCPv6 Server Configuration
©
RA Message
DHCPv6 Server
RA
Router(config)# ipv6 unicast-routing
Option 1: SLAAC – No DHCPv6 (Default on Cisco routers)“I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address“Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA)Option 3: All addressing except default gateway use DHCPv6“I can’t help you. Ask a DHCPv6 server for all your information.”
DHCPv6
Option 1 and 2: Stateless Address Autoconfiguration• DHCPv6 Server does not maintain state of addressesOption 3: Stateful Address Configuration• Address received from DHCPv6 Server
©
RA Message Options
DHCPv6 Server
ICMPv6 Router AdvertisementOption 1, 2, or 3
Option Other Configuration (“O”) Flag
Managed Configuration (“M”) Flag
Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) 0 0Option 2: SLAAC + Stateless DHCPv6 for DNS address 1 0Option 3: All addressing except default gateway use DHCPv6 0 1
©
I’m only using the default gateway address from the
RA. I need to contact a stateful DHCPv6 server for all my addressing.
IPv6 Router & DHCPv6 Server
Router as a Stateful DHCPv6 Server
ICMPv6 Router Advertisement
• Option 3: Stateful DHCPv6• O Flag = 0, M Flag = 1
ICMPv6 Router Solicitation 1
2
StatelessDHCPv6Stateful
DHCP Server
©
Option 3 and the “A” Flag
Option Managed Configuration (“M”) Flag
Address Autoconfiguration (“A”) Flag
Prefix in RA can be used for SLAAC
Option 3: All addressing except default gateway use DHCPv6
1 1 (default) Yes
Option 3: All addressing except default gateway use DHCPv6
1 0 No
ICMPv6 RAM Flag = 1A Flag = 1
G 0/1
DHCPv6
DHCPv6 Server
As a Windows host I will still use the RA prefix to create
temporary (SLAAC) addresses)
0
The autonomous address configuration (A) flag tells hosts that they can create an address for themselves by combining the prefix in the RA with an interface identifier.
©
Setting the Managed Configuration Flag
ICMPv6 Router Advertisement
• Option 3 Stateful DHCPv6 • O Flag = 0, M Flag = 1
Router(config)# interface gigabitethernet 0/1Router(config-if)# ipv6 nd managed-config-flag
G 0/1
DHCPv6
DHCPv6 Server
©
Stateful DHCPv6 without SLAAC
ICMPv6 Router Advertisement
• Option 3 Stateful DHCPv6 • O Flag = 0, M Flag = 1• No SLAAC: A Flag = 0
Router(config)# interface gigabitethernet 0/1Router(config-if)# ipv6 nd managed-config-flagRouter(config-if)# ipv6 nd prefix prefix/length no-autoconfig
G 0/1
DHCPv6
DHCPv6 Server
• no-autoconfig (Optional) Indicates to hosts on the local link that the specified prefix cannot be used for IPv6 autoconfiguration (SLAAC).
• The prefix will be advertised with the A-bit clear (autonomous address-configuration flag).
As a Windows host I will still use the RA prefix to create
temporary (SLAAC) addresses)
©
RA Message: Stateful DHCPv6To: FF02::1 (All-IPv6 devices)From: FE80::1 (Link-local address)Prefix: 2001:DB8:CAFE:2:: Prefix-length: /64Managed Configuration Flag: 1Autonomous Address Flag: 0
RA
1
Default Gateway: FE80::1Global Unicast Address: DHCPv6
2001:DB8:CAFE:2::/64
2
Stateful DHCPv6 Server
Stateful DHCPv6
DHCPv6
As a Windows host I will still use the RA prefix to create
temporary (SLAAC) addresses)
©
Router(config)# ipv6 unicast-routing
Router(config)# ipv6 dhcp pool IPV6-STATEFULRouter(config-dhcpv6)# address prefix 2001:DB8:CAFE:2:DEED::/80Router(config-dhcpv6)# dns-server 2001:DB8:CAFE:9::99Router(config-dhcpv6)# domain-name www.example.com
Router(config)# interface GigabitEthernet 0/1Router(config-if)# ipv6 address 2001:DB8:CAFE:2::1/64Router(config-if)# ipv6 address FE80::1 link-localRouter(config-if)# ipv6 nd managed-config-flagRouter(config-if)# ipv6 dhcp server IPV6-STATEFUL
Configuring Router as a Stateful DHCPv6 Server2001:DB8:CAFE:2/64G0/1
:1DNS Server2001:DB8:CAFE:9::99 RA
M = 1DHCPv6
Can be a /64
©
Including Specific Addresses
2001:DB8:CAFE:2::/642001:DB8:CAFE:2:0:0:0:02001:DB8:CAFE:2:FFFF:FFFF:FFFF:FFFF
2001:DB8:CAFE:2:DEED::/802001:DB8:CAFE:2:DEED:0:0:02001:DB8:CAFE:2:DEED:0:0:12001:DB8:CAFE:2:DEED:0:0:2 . . .
/64 /80
INCLUDED assigned addresses will have these 80 bits.
Available addresses for this network
Router(config-dhcpv6)# address prefix 2001:DB8:CAFE:2:DEED::/80
All other addresses are EXCLUDED
©
PC> ipconfig /all
Physical Address. . . .: 00-21-9B-88-0E-40 IPv6 Address. . . . . .: 2001:db8:cafe:2:deed:2de8:cfd8:5 Default Gateway . . . .: fe80::1 DNS Servers . . . . . .: 2001:db8:cafe:9::99 Connection-specific DNS Suffix Search List: www.example.com
2001:DB8:CAFE:2/64G0/1:1
DNS Server2001:DB8:CAFE:9::99 RA
M = 1DHCPv6
Verifying Stateful DHCPv6 Server Configuration
©
Router# show ipv6 interface gigabitethernet 0/1GigabitEthernet 0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:2::1, subnet is 2001:DB8:CAFE:2::/64 <output omitted> Hosts use DHCP to obtain routable addresses.Router#
2001:DB8:CAFE:2/64G0/1:1
DNS Server2001:DB8:CAFE:9::99 RA
M = 1DHCPv6
Verifying Stateful DHCPv6 Server Configuration
©
DHCPv4 and Private Addresses for the Home
• ISP only has to deliver a public IPv4 address for Home router interface.• DHCPv4 and RFC 1918 private address space is used for home
network.• NAT is used for translation – but has its drawbacks!• No NAT between private-public IPv6 (always in debate)
ISP HOMEPublic IPv4 Addressfor the interface
G0/1 G0/1
10.0.0.0/8172.16.0.0/12192.168.0.0/16
G0/0Private IPv4 Address
NAT
DHCPv4 DHCPv4
©
The World of IPv6 and DHCPv6-PD
ISP-DR HOME-RRG0/1 G0/1 G0/0
Delegating Router (DR)
Requesting Router (RR)
Global IPv6 Address Global IPv6 Address
Complete IPv6 Reachability
DHCPv6-PD REQUEST
DHCPv6-PD REPLY
1
2
RA with prefix3