Automate address configuration in IPv6

Automate address configuration in IPv6

IPv4 has only two options: static address and default gateway configuration or DHCP. Today we will take a closer look at what has replaced the classic DHCP from IPv4, how it works and how to live with it.

We have to remember that IPv6 finally has a number of obsolete technologies. In particular, it no longer has broadcast, in all protocols it was replaced by multicast and standardized group addresses: for example, ff02::1 – all hosts in the segment, ff02::2 – all routers.



In addition, not all autoconfiguration mechanisms require server or router participation.

Addresses link-local

.
Let’s start with the concept of addresses like link-local. They are isolated from the ff00::/8 network and are assigned to each network card when the system boots up. Unlike IPv4, in IPv6 their use is mandatory. This allows each device to have an address and interact with other devices on the same network, regardless of whether other configuration mechanisms have been successfully worked out or turned on at all.

To send packets via multicast you need the source address and broadcast in IPv6 as we remember it is not. This is why having the address at the very early stage of the download is especially important. In IPv4 with its massive use of broadcast, this problem was “solved” by using 0.0.0.0 instead of the source or destination address.



An isolated network can theoretically work on some link-local addresses, from the host point of view they are indistinguishable from any other. The difference exists only for routers which are required by the standard not to forward packets from link-local in the destination address to other networks.

In practice, of course, the network is of little use without connection to the Internet or other private networks, so let us move on to the mechanisms for setting up public addresses.

This idea is not new: in IPv4 they already existed and stood out from the 169.254.0.0/16 network, but were not widely used. One of the reasons is that it is difficult to prevent address conflicts. Successful implementation of this idea requires quite reliable and practical ways to ensure uniqueness of host addresses. Let us see how this problem is solved in IPv6.

Unique host addresses

.
The default network size for a single IPv6 link layer segment is /64. This is a lot – 2^64 addresses! It seems to be an absurd idea, but there are reasons for it. In 64 bits you can put an existing globally unique identifier or generate a random one with a very low conflict probability.

Each factory MAC address is guaranteed to be unique, so you can avoid potential address conflicts forever by simply using the MAC address of a network card as part of its IPv6 address. This mechanism is called EUI-64 (Extended Unique Identifier). You can read more about it in the appendix to RFC 2373.

The MAC address is 48 bits (six bytes) and we need 64, so it is divided into two parts by three bytes and the magic number 0xFFFE is inserted in the middle. In addition, inverts the seventh bit of MAC-address – the globally unique it is set to zero by default.

Since addresses like link-local are not routed, this approach does not create any privacy problems. For assignment of public addresses it is obviously problematic – an attacker with access to traffic dumps or server logs can easily identify addresses from different networks – for example, from home, work or a public Wi-Fi access point in a hotel – with a single device and track the user’s movements.

In today’s world it’s not the biggest threat to privacy, so we won’t look at the mechanisms to combat it in detail, but they do exist. One option, IPv6 privacy extensions, is described in RFC 3041. More importantly, IPv6, or rather the ARP equivalent of NDP, has a built-in address collision detection mechanism. The nodes first assign a state of tentative to the address and wait whether the NDP packet with this address will come from the source. If such a packet arrives, the address is not activated.

Thus, the idea of automatically generated addresses is applicable to both local and public addresses. Only the network address is needed for configuration.

Routers when setting up NICs often allow only the network address to be manually specified, but leave the system to generate the host identifier itself: e.g. interface Gi0; ipv6 address 2001:db8::/64 eui-64 in Cisco IOS, set interfaces ethernet eth0 ipv6 address eui64 2001:db8::/64 in VyOS. The hosts don’t usually know their network address so they need to get it from an external source. This is where the SLAAC (StateLess Address AutoConfiguration) takes effect through a router advertisement.

Router Advertisement (SLAAC)

We must remember that ARP is not in IPv6 either, its role was taken over by NDP – Neighbor Discovery Protocol, described in RFC 4861. Unlike ARP, it is not a separate intermediate layer protocol between network and channel, but a subset of ICMPv6. This was possible because link-local addresses are mandatory: there can be no hosts with an unspecified address on the network.

It is noticeably more functional than its predecessor and among other things it has a clear division between the host and router roles. In IPv4, the router address could only be manually configured or obtained through DHCP, in IPv6 routers send packets with information that they are ready to route traffic to hosts and at the same time tell them their address.

The same protocol is able to send hosts the address of the network they are in so that they can configure their own addresses.

Let us try to configure this mechanism on GNU/Linux. We will use the radvd package to send the router advertisement. It is usually present in repositories and should not be difficult to install.

Let’s assume that the router eth0 is configured with the address 2001:db8::1/64. First let us enable IPv6 routing: sudo sysctl -w net.ipv6.conf.all.forwarding=1. Then we write the following in /etc/radvd.conf:

interface eth0 {
    IgnoreIfMissing on;
    AdvManagedFlag off;
    AdvReachableTime 0;
    AdvSendAdvert on;
    AdvOtherConfigFlag off;
    prefix 2001:db8::/64 {
        AdvOnLink on;
        AdvAutonomous on;
    };
};

After starting in radvd we will see the following picture in the traffic dump:

11:36:49.958369 IP6 (flowlabel 0xf840b, hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::a00:27ff:fe76:3417 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56

hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s

prefix info option (3), length 32 (4): 2001:db8::/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s

source link-address option (1), length 8 (1): 08:00:27:76:34:17

This is the router advertisement. The destination address ff02::1 is the group address of all hosts. Note: the source address is link-local rather than a global public address.

If you are a Linux client host then you can manually enable autoconfiguration with sudo sysctl -w net.ipv6.conf.eth0.accept_ra=1 although it is easier to do this via NetworkManager. You will then see an automatically configured address on the interface, and in ip -6 route you will see an entry in the form default via fe80::a00:27ff:fe76:3417. All automatically configured routes in IPv6 use link-local as their gateway address, both on hosts and routers with RIPng, OSPFv3, and often BGP.

Only routes and network addresses can be distributed via router advertisement. There are extensions for distributing addresses of DNS servers, but for distributing additional information like NTP servers or any other options one cannot do without DHCPv6.

DHCPv6

.
DHCPv6 is similar to its predecessor from IPv4, but has different implementation details, and these differences must be remembered to configure it properly.

Since the default route configuration in IPv6 is done automatically through a router advertisement, DHCPv6 does not provide this feature – do not look for it in the documentation.

In IPv4 hosts send a broadcast request to a DHCP server. In IPv6, even when a host is configured to use DHCPv6, it will not do so unless the router tells it that the server is present on the network.

Customize RA for DHCPv6

.
Our radvd.conf had the AdvAutonomous on option. According to RFC 4862, this flag means that there is no other mechanism for distributing network settings and hosts should configure their addresses based on the network address information in the package: 2001:db8::/64 in our case. If this flag is set to zero, then hosts will ignore the network address information in the router advertisement packages.

Whether hosts should send a request to a DHCPv6 server, the Managed and OtherConfig flags are defined. The Managed flag means that hosts must obtain addresses via DHCPv6. The OtherConfig flag means that hosts must use SLAAC, but additional settings are available through DHCPv6.

Therefore, before configuring DHCPv6, you need to fix /etc/radvd.conf again and put AdvManagedFlag on and AdvAutonomous off there, then restart the service.

Customize DHCPv6

The DHCPv6 server can be found in the ISC DHCP package, in different distributions it is called either dhcp-server or isc-dhcp-server. The location of the config is distributive-dependent and configurable in the startup options, so let’s assume that it lies in /etc/dhcpd/dhcpd6.conf. Let’s write there a minimum config for the test:

shared-network TEST {...
    subnet6 2001:db8::/64 {
        range6 2001:db8::1000 2001:db8::2000;
        option dhcp6.name-servers 2001:db8::100;
    }
}

Now all you have to do is start the service, configure the client to receive settings from DHCPv6 and see what happens.

Enclusion

.
In corporate IPv6 networks, there is still more of an exception than a rule, but when he gets there, this article will hopefully help you get ready for it.



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


7 Views

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments


Do NOT follow this link or you will be banned from the site!
0
Would love your thoughts, please comment.x
()
x

Spelling error report

The following text will be sent to our editors: