DHCPV6 REVISITED

Understanding Stateless & Stateful Address

Autoconfiguration

Certified Network Engineer for IPv6 (CNE6) – Gold

Disclaimer

 We wish to inform that this CNE6 Gold course materials

and its content is solely for the purpose of CNE6 Gold
examination and it shall not be made available to any
other parties without our written consent. All material in
this course material is, unless otherwise stated, the
property of NLTVC Education Sdn Bhd (NESB) and
protected by Copyright Law. Reproduction or
retransmission of the materials, in whole or in part, in any
manner, without the prior written consent of NESB, is a
violation of copyright law.
DHCPv6 Standards
 Relevant RFCs include:
 RFC 3315 - Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)
 RFC 3633 - IPv6 Prefix Options for Dynamic Host
Configuration Protocol (DHCP) version 6
 RFC 3736 - Stateless Dynamic Host Configuration
Protocol (DHCP) Service for IPv6
 More information about DHCP standards
 IETF dhc WG page
(http://www.ietf.org/html.charters/dhc-charter.html)
 Overview Of DHCPv6
 Used to configure nodes with the following:
 One or more IPv6 addresses, or

 Configuration information, or

 One or more IPv6 prefixes

 Or all of the above

 Offer similar functionality to DHCPv4 but for IPv6

 Additional mode of operation in DHCPv6
 Stateless DHCPv6 where configuration information only is exchanged

 Stateful is similar to how DHCPv4 traditionally operates

 Requires IPv6 transport

 DHCPv6 is not simply an upgrade to DHCPv4, it is a separate and distinct
protocol
 DHCPv6 @ DHCP for IPv6

Most network equipment vendors today will support DHCPv6
 But some may not support the whole DHCPv6 specification

Cisco IOS (12.4T) only supports DHCP-Prefix Delegation

Allied Telesis supports the entire DHCPv6 specification incl.
DHCP Authentication

 Types of DHCPv6 nodes are:

DHCPv6 Client
DHCPv6 Server DHCPv6 Relay

(used when Server is not in

the same Subnet with the
client)
 Role of Routers
 Routers in IPv6 deployments have different roles in the network compared to
routers in IPv4 deployments
 IPv6 routers advertise their availability using IPv6 Router Advertisement Messages
 Unlike in IPv4 deployments hosts are explicitly told where routers are statically, via DHCPv4,
etc.
 IPv6 routers also transmit additional information that is relevant to the links it
serves including but not limited to the following:
 Prefix information or information about prefixes that are in use or valid for a

given link or links

 Flags that suggest how DHCPv6 should be used by nodes

 Managed bit suggests use of stateful DHCPv6

 Other bit suggests use of stateless DHCPv6
 Additionally the Autonomous bit indicates that auto-configuration should be

used by nodes
 DHCPv6 @ DHCP for IPv6
IPv6 client will know what to do by looking at the M & O flags in Router Advertisements

M bit O bit Description

0 0 Addressing and other configuration information to be obtained via RAs
1 0 Addresses to be obtained via DHCP, other configuration information
from RAs
0 1 Use RAs to auto-configuration. Other information obtained from DHCP
1 1 Addressing and other configuration information to be obtained via
DHCP

• Most DHCPv6 implementations will also support the Prefix Delegation extension (RFC 3633)
• DNS configuration option (RFC 3646) allows client to request for DNS server information
• RFC3736 defines Stateless DHCPv6.
• This type of DHCPv6 does not provide any address assignments but only gives out ‘stateless’
information, eg. DNS server list.
• This is done using a Information-request <-> Reply message exchange.
 DHCPv6 Operational model
 DHCPv6 configuration and operation model is significantly different to DHCPv4
 DHCPv6 clients listen on port 546, servers and relays listen on port 547
 The following multicast addresses are reserved for DHCP servers and relays
 FF02::1:2, All DHCP Agents (relays and servers) [rfc3315]

 FF05::1:3, All DHCP servers

 Rapid commit
 The rapid commit can be specified so that faster 2 message exchange is used

 4 message exchange allows client to build list of potential servers from

received Advertise messages.
 Rapid commit is good if there is only one server
 Both server and client will have to enable rapid commit option for it to work

 Each IPv6 interface can act either as a server, client or relay at any time.
DHCPv6 Stateless Information

 IPv6 prefix
 Vendor specific options
 Addresses of SIP servers
 Addresses of DNS servers and search options
 Network Information Service (NIS) configuration
 Simple Network Time Protocol (SNTP) servers
 Broadcast and Multicast Controller Servers (BCMS)
servers
 Understanding DUID
DHCP Unique Identifier (DUID)
 A variable length data which uniquely identifies each individual DHCPv6
client or server.
 Designed to ensure better uniqueness of the identifier among all clients
and servers.
 The only comparison that a DHCP client or a server can do between two
DUIDs is to test to see if they are equal.
 A DUID begins with a 2-byte type field, followed by type-specific variable
length data. [RFC3315] defines the following three types:
 DUID-LLT: Link-Layer address plus Time

 DUID-EN: Vendor-assigned unique ID based on Enterprise Number

 DUID-LL: Link-Layer address

 Types of DUID
Link-layer address plus time (DUID-LLT)
 Recommended for all general purpose computing devices, such as desktop
computers, printers, routers, etc.
 The device must contain some form of writable non-volatile storage.
 Note that the ‘time’ on the device should be configured before the DUID is
generated, if possible. The only purpose of the timestamp is to lower the
chance of an identifier conflict.
 The link-layer address is typically the MAC address for Ethernet media. The
DUID is defined as follows:
 Types of DUID
Vendor-assigned unique ID based on Enterprise Number (DUID-EN)
 This form of DUID is assigned by the vendor to the device. It
consists of the vendor's registered Private Enterprise Number as
maintained by IANA followed by a unique identifier assigned by
the vendor. The following diagram summarizes the structure of a
DUID-EN
 Types of DUID
Link-Layer Address (DUID-LL)

 This form is just like the DUID-LLT, without the timestamp.

 It is recommended for permanently connected devices that have a link-
layer address, but no nonvolatile, writeable stable storage.
 Viewing your node’s DUID

 Microsoft Windows 7 has several DHCPv6 related commands:

 ipconfig /release6 - release assigned IPv6 address (es), de-

configure network

 ipconfig /renew6 - do a new configuration request for IPv6

 ipconfig /all - view all network configuration settings (IPv4

and IPv6)
Viewing your Node’s DUID
Understanding Identity Association (IA)

Identity Association (IA)

 A conceptual structure that identifies a set of DHCPv6 configuration
information.
 Each IA is identified by a 32-bit identifier (Identity Association
IDentifier, IAID).
 An IAID must uniquely identify one particular IA within each client.
 IA was introduced in DHCPv6 because an interface can have
multiple IP addresses.
 IAs is to define multiple identities within a single client, each is
associated with a different IPv6 address.
 Types of IA

 RFC3315 & 3633 define the following three types of IA:

 Identity Association for Non-temporary Addresses (IA_NA)

Used for non-temporary, IPv6 addresses allocated for a

client’s interface.
 Identity Association for Temporary Addresses (IA_TA)

Used for sets of temporary IPv6 addresses to be allocated for

a client’s interface (privacy extension)
 Identity Association for Prefix Delegation (IA_PD)

Defines a set of IPv6 prefixes to be allocated from a delegating

router to a requesting router for prefix delegation.
DHCPv6 to DHCPv4 Message Comparison
 DHCPv6 Message Types
Message Type Description
Solicit Sent by clients to locate servers
Advertise To indicate to clients that the server is available. Can also contain server preference
value.
Request Sent by clients to request for configuration parameters and addresses
Confirm Sent by clients to any available server to determine whether the addresses it was
assigned are still appropriate on the link to which the client is connected.
Renew Sent by client to the server that assigned it the addresses it is trying to renew. Also used
to update configuration parameters
Rebind Similar to the Renew message and is sent if the client did not get a reply from the
server.
Reply Sent by server in response to most messages sent by a client. To inform client whether
their request has been process successfully or not
 DHCPv6 Message Types
Release Sent to the server to inform it of addresses that the client will no longer be using
Decline To inform the server that one or more address that the server is trying to assign
to the client is already in use (DAD)
Reconfigur Sent by the server to inform clients that configuration information has been
e updated and client should start a Renew/Reply or Info-Req/Reply exchange to
get the updated information
Informatio Sent by client to request for configuration parameters only
n-Request
Relay- Sent by relay agents to servers. Contains the original message sent by a client.
Forward
Relay- Sent by a server to a relay agent containing a reply to the client message
Reply contained in the Relay-Forward message
 The DHCPv6 Protocol

 When it first comes up, before any DHCPv6 operation, an IPv6 capable client
node generates a link-local unicast address through ND (and possibly a global
unicast address as well, using information from a Router Advertisement
message).
 If a RA message is seen, then the client can check the M & O bits in it to
determine if there is Stateful DHCPv6, Stateless DHCPv6, or no DHCPv6 available.
If no RA is available, a client can still attempt DHCPv6 server discovery, as
follows:
 The client sends a SOLICIT message to multicast group ff02::1:2.

 This address specifies all DHCPv6 servers or relay agents on the local-link. The

included options are:

 ClientID
 Option Request Option (IA-NA, DNS-Servers, Domain-List)
 DHCPv6 Message Exchange
 2 message exchanges
 Information-Request, Reply message exchange

 Used when the client only requires configuration information and

does not require address assignment, eg. DNS server addresses
 Solicit, Reply message exchange (Rapid Commit feature)

 Client immediately request for address assignment and does not

wait to get a list of DHCPv6 servers
 DHCPv6 server must agree to this as well
 4 message exchanges
 Solicit, Advertise, Request, Reply message exchange

 When a client requires the assignment of addresses

 How it Works: Address Assignment

Solicit Message

Advertise Message
 How it Works: Address Assignment
Request Message

Reply Message
Stateful DHCPv6 Message Exchange
Stateful DHCPv6 Message Exchange
(Rapid Commit)
Stateful DHCPv6 Message Exchange (with Relay
Agent)
 Stateless DHCPv6
 Assumes one or more techniques used by a
node to acquire one or more IPv6 addresses
 Static assignment
 Auto-configuration

 Stateless DHCPv6 is a two message exchange

(INFORMATION-REQUEST, REPLY) between a

DHCPv6 client and server where
configuration information only is provided
Stateless DHCPv6 Message Exchange
Prefix Delegation Message Exchange
 DHCPv6 Server Preference Option
 DHCPv6 server preference option indicates the preferences as
configured administratively for a DHCPv6 server
 Per RFC3315 DHCPv6 clients wait a specified amount of time

and gather DHCPv6 server responses to its requests

 If a DHCPv6 server responses contains a preference less than 255
 No preference indicating a preference of zero
 Preference of 255 suggest that no further waiting is required,

this is the highest preference

 After waiting the specified amount of time a DHCPv6 client must
select the best response
 DHCPv6 Reconfigure
 Unlike that of DHCPv4, DHCPv6 Reconfigure affords a secure technique for
DHCPv6 servers to interact with DHCPv6 clients
 The Reconfiguration Key Authentication Protocol, as specified in RFC3315, is
the mechanism used to enable this interaction securely
 DHCPv6 clients must advertise support and willingness to enable Reconfigure
 DHCPv6 server must obviously be enabled and support this behavior as

well
 After successfully negotiating willingness to support Reconfigure DHCPv6
servers can be triggered to transmit Reconfigure messages to DHCPv6 clients
 Renew, Information-Request, or Rebind can result from the transmission

of a Reconfigure message
 Reconfigure Key Authentication Protocol does not imply support for DHCPv6
Authentication as specified in RFC3315
 DHCPv6 Deployment Considerations

 DHCPv6 is typically used to provide controlled dynamic allocation of IPv6

addresses and prefixes
 Static addressing as with IPv4 is challenging to scale

 Auto-configuration in IPv6 does not afford adequate control

 DHCPv6 is at this time the most widely available approach to

 dynamically distribute configuration information
 DHCPv6 is also the most common approach to facilitate IPv6 prefix delegation
 Deployment considerations apply when determining how to offer DHCPv4 and
DHCPv6 services, consider balance between impact to existing services over IPv4
and manageability
 Both protocols on the same server, one process

 Both protocols on the same server, two processes

 One protocol per server, implies one process

DHCPv6 Authentication

 DHCPv6 clients may be subjected to DoS attacks by

fake DHCPv6 servers
 Based on authentication for DHCPv4
 Uses the Authentication option to verify the identity
of the sender.
 Manual keying is sufficient, IKE with pre-shared keys
is recommended. Use of public keys is also possible
DHCPv6 Implementation
 Windows Server 2008
 Server, Client
 Windows Vista/7
 Client
 Dibbler
 Server, Relay, Client, PD
 Supports multiple platforms (including WinXP)(win2k exp)
 Open source
 KAME DHCP6
 Server, Relay, Client, PD
 Does not support assignment of temporary addresses
 DHCPv6 Implementation Cisco

 DUID of device can be known via the command show ipv6 dhcp
 DHCPv6 client feature on Cisco routers can only request for
 non stateful information such as DNS server, domain search list
 the delegation of prefixes
 Delegated prefixes will be added to local IPv6 general prefix pool
 DHCPv6 server feature on Cisco routers does not support manual address
assignment to DHCPv6 clients. Only delegation of IPv6 prefixes is supported in
addition to other stateless information like DNS servers
 Allied Telesis supports the complete DHCPv6 RFC, including the assignment of temporary &
permanent addresses as well as DHCP authentication on the router itself.
 Cisco’s complete DHCPv6 implementation is available on their Cisco Network Registrar
product.
DHCPv6 Implementation Cisco

 IPv6 prefixes to be allocated can be specified either by

 Specifying a /48 prefix with a specific DUID in a ipv6 dhcp pool
 A local prefix using the ipv6 local pool command
 Assigned prefixes are stored in a binding database in NVRAM
 Bindings can be viewed using show ipv6 dhcp binding
 DHCPv6 Implementation: Cisco
 The following slides will let you know how to configure various DHCPv6
functionalities. It will only show relevant dhcp commands. You are still most
likely need to configure interfaces to support ipv6 addresses, bring it up,
enable unicast-routing, configure static routes, and/or configure neighbor
discovery.
Please refer to your CNE6 Level 1 notes …

 You can use the following commands for debugging purposes

 show ipv6 interface
 debug ipv6 packet
 debug ipv6 dhcp
 debug ipv6 ? For more debugging that can be turned on
DHCPv6 Server Configuration (Windows 2008
Example)
DHCPv6 Server Configuration (Windows 2008
Example)
DHCPv6 Server Configuration (Windows 2008
Example)
DHCPv6 Server Configuration (Windows 2008
Example)
DHCPv6 Server Configuration (Windows 2008
Example)
DHCPv6 Server Configuration
(ISC DHCPv6 Example)
DHCPv6 Client Configuration
DHCPv6 Relay Configuration
(ISC DHCPv6 Example)
Thank You