IPv6 address assignment will be messy

I am currently working with developing an introductionary workshop for IT consultant with the subject of IPv6.

Scope:
A client (windows 7) is connected to an internal network. On the same network there is a router facing internet, and a DHCPv6-enabled server.

Scenario 1
The DHCPv6-service is disabled. The router has RA (Router advertisements) enabled.
What happens?

  • The client gets a self-assigned globally routable IPv6-address based on the RA received.
  • The client will use the RA source address as default gateway.
  • The client will (obviously) not get any DNS-settings.

Scenario 2
The DHCPv6-service is enabled. However, there is no RA:s sent out from the router.
What happens?

  • The client will get an IP from the DHCP-pool
  • The client will NOT get a default gateway
  • The client will get DNS-settings from the DHCP-server.

Scenario 3:
Both RA:s and DHCPv6 is enabled on the network.
What happens?

  • The client will get an IP-address (self assigned based on RA, NOT from the DHCP-server!)
  • The client will use the RA source address as default gateway.
  • The client will request and receive DNS-settings from DHCP.

So, my conclusion is that both RA and DHCP is needed in order to receive all settings to the client. And if you do, the DHCP-scope in the server will not be used because the client will use RA addresses. Bye bye, static leases!

Oh. And the security approach on this: How much have we not liked the flaws with non-authenticated address assignments in Ipv4? How much will we in a near future not like the fact that we need two different protocols to get ip settings to our clients? And are DHCPv6 and RA even remotely slightly secure? Noooes.

Tagged with: , , ,
Posted in General Networking, General Security, Security
4 comments on “IPv6 address assignment will be messy
  1. Henrik says:

    A lot of good things can be said about IPv6, but for all its strenghts it’s got more than its share of weaknesses, SLAAC definitely being one of them (at least from an ISP point of view), as well as the late development of DHCPv6 (which in many cases still isn’t feature complete with its v4 predecessor).

    In practice, you’re always going to need an RA from your router to kick clients into IPv6 mode, regardless of whether you use any flavour of SLAAC, DHCPv6 or even static addresses. If you want to use the SLAAC approach, you CAN configure your RA messages to include name-server information (though I can’t find the command on Cisco to do this right now; it might be that this is a fairly recent addition to the spec).

    If you want to avoid the self-generated global SLAAC addresses you need to make sure that your router sends RAs with the M (Managed) bit set (Cisco does this with the ‘ipv6 nd managed-config-flag’ interface command). This instructs the end node to NOT calculate an EUI-64/PrivExt address but rather go solicit the network for a DHCPv6 server. (Which, thanks to the ‘ipv6 dhcp relay destination 2001:db8:1::1234’ interface command may be off-net.) There ARE plans to include a default gateway parameter in DHCPv6, but I don’t think it’s quite there yet. Seems like something that would be prioritized now that IPv6 is out in the real world…

    There’s another “neat” (but perhaps not exceedingly useful) trick where you can use RAs and SLAAC to generate the host address and find your router, but then you can request everything else (DNS, gateway, options) from a DHCPv6 server – in this case you send the RAs with the O (Other) bit set (‘ipv6 nd other-config-flag’). I’m struggling to find a scenario where this would be applicable, but in a large network with loads of transient clients that you don’t need to keep track of, perhaps?

    • Sanne says:

      Also, I don't like the thought of how many Muslims work at the UK's airports. I don't know what the peergntaecs are, but anytime I travel through London or Manchester I look around me and just think, wow — this is not good.

    • How fun that you were able to meet in person! I find that my son will sit for hours with a Star Wars or Scooby Doo graphic novel (aka comic book!). It’s not exactly my favorite genre, but he is reading and enjoying it. Another idea is to let your son look at I Spy or other Search and Find books for a while. He may not be ready for reading, but all kids are ready for books!Danielle recently posted..

  2. Andreas di Zazzo says:

    http://www.ietf.org/rfc/rfc5006.txt has been out for a while but still not implemented. Until then we’ll be stuck with DHCP server configuration for DHCP options along with the RA auto-addressing scheme.

Leave a Reply

Your email address will not be published.

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test