IPv6 RA's and DHCPv6

Started by Dieselboy, May 18, 2016, 04:24:02 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

srg

#15
May 20, 2016, 10:57:20 AM
Quote from: Dieselboy on May 20, 2016, 03:15:39 AMSo to allow mac to mac L2 communication I'm going to need to advertise the prefix, but then set the A flag to stop SLAAC.
That's what I was thinking, but I haven't had the time to test it myself. I'm deploying this in a residential subscriber/BNG scenario where every subscriber is in it's own VLAN, so they are forced through the router anyhow.
som om sinnet hade svartnat för evigt.

Dieselboy

#16
May 20, 2016, 01:13:10 PM Last Edit: May 20, 2016, 01:17:08 PM by Dieselboy
Quote from: ristau5741 on May 20, 2016, 07:59:16 AM

Quote from: Dieselboy on May 19, 2016, 10:43:58 PM

EDIT - yes it does. After going into the network adapter and disabling ipv6 and then re-enabling, now I only get a DHCPv6 IP address (including DNS) and the RA gives me default gateway.

You must have missed that question on the exam.

Exam was more than half a decade ago. I can't remember what I did last weekend!  :blank:

wintermute000

#17
May 20, 2016, 10:26:08 PM
Quote from: srg on May 20, 2016, 10:57:20 AM
Quote from: Dieselboy on May 20, 2016, 03:15:39 AMSo to allow mac to mac L2 communication I'm going to need to advertise the prefix, but then set the A flag to stop SLAAC.
That's what I was thinking, but I haven't had the time to test it myself. I'm deploying this in a residential subscriber/BNG scenario where every subscriber is in it's own VLAN, so they are forced through the router anyhow.

that's why I'm thinking as well srg.

Though dialing it back to first principles - prefixes in IPv6 are assumed to be /64 right? So why can't a host work out its local subnet if it has an address? Or is that a "convention"?

Dieselboy

#18
May 21, 2016, 12:43:55 AM
Quote from: wintermute000 on May 20, 2016, 10:26:08 PM

that's why I'm thinking as well srg.

Though dialing it back to first principles - prefixes in IPv6 are assumed to be /64 right? So why can't a host work out its local subnet if it has an address? Or is that a "convention"?

I was thinking this as well but I guess the client assumes it doesn't know what subnet it's on.

srg

#19
May 21, 2016, 02:02:54 AM
Quote from: Dieselboy on May 21, 2016, 12:43:55 AM
Quote from: wintermute000 on May 20, 2016, 10:26:08 PM

that's why I'm thinking as well srg.

Though dialing it back to first principles - prefixes in IPv6 are assumed to be /64 right? So why can't a host work out its local subnet if it has an address? Or is that a "convention"?

I was thinking this as well but I guess the client assumes it doesn't know what subnet it's on.
Yes that's basically what's happening. In theory with SLAAC the client could work out the on-link subnet but this would break NBMA if the router doesn't do ND proxying. In DHCPv6 this is not possible, the IA_NA doesn't even contain a prefix so the IP is considered a single /128.

So the gist of it is that the client should not draw any own conclusions about on-link prefixes but must always be explicitly told about them (there could be on-link prefixes where the client doesn't have an IP etc). There is an RFC that updates the Neighbor Discovery RFC and clearifies this; https://tools.ietf.org/html/rfc5942 (really a good read on this topic!)
som om sinnet hade svartnat för evigt.

wintermute000

#20
May 21, 2016, 04:15:31 AM Last Edit: May 21, 2016, 04:18:37 AM by wintermute000

So can I recap what we've established in both theory and practice (i.e. Dieselboy's live experience)


1.) DHCPv6 does NOT send the prefix, just the IP. This (i.e. not sending the 'mask') is also not the same thing as prefix delegation (wickedly clear terminology LOL).
2.) RA is required to send the prefix even if disabling SLAAC/using stateful DHCPv6 address delegation
3.) You can send this prefix via RA whilst at the same time disabling SLAAC (-A) and enabling the other options flag (M bit) to suggest (but in practice works every time) use a DHCPv6 server for stateful addressing
4.) If you do not disable SLAAC but send the DHCPv6 server via the M-bit, you will get both addresses (and both will be 'valid')
5.) If you do not send the prefix via RA, the host thinks it has a /128 and will not even attempt ICMPv6 ND/NS and will instead send any and all packets to the MAC address of the default gateway






I did not know the last part, so thanks again Dieselboy for documenting your experience and srg for the clarification

deanwebb

#21
May 21, 2016, 10:33:01 AM
I read this thread and felt satisfied that, not once, were any firewalls blamed. The rest of it went right over my head.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#22
May 23, 2016, 09:55:57 PM Last Edit: May 24, 2016, 02:25:56 AM by Dieselboy
My ASA has been very good in this whole thing :)

The aim of this post was to get a better understanding of how one would go ahead and configure IPv6 in a working environment.

For reference, here is my SVI config I've settled on, based on this discussion thread. I've put comments next to the commands below.

interface Vlan10
  description USER-ACCESS SVI
  no shutdown
  no ip redirects
  ip address 192.168.10.2/24
  ipv6 address 2001:xxxx:xxxx:70a::2/64   # Set IPv6 Address
  ipv6 nd managed-config-flag    # Set the M flag to tell clients they can use DHCPv6 (this is a suggestion to clients, not an enforcement)
  ipv6 nd prefix 2001:xxxx:xxxx:70a::/64 1800 1800 no-autoconfig    # Advertise the IPv6 prefix in ICMPv6 RA messages which clients pick up. The "no-autoconfig" clears the A flag and advises clients not to use SLAAC against this prefix.
  hsrp version 2
  hsrp 247
    preempt delay minimum 60 reload 60
    priority 100 forwarding-threshold lower 1 upper 100
    timers  1  4
    ip 192.168.10.1
  hsrp 247 ipv6
    preempt delay minimum 60 reload 60
    priority 100 forwarding-threshold lower 1 upper 100
    timers  1  4
    ip autoconfig    # Use link-local as virtual HSRP address
    ip 2001:xxxx:xxxx:70a::1    # Not really used by end devices - I've added it here so it's a logical representation / conversion of IPv4 to IPv6
  ip dhcp relay address 192.168.7.234
  ip dhcp relay address 192.168.7.233
  ipv6 dhcp relay address 2001:xxxx:xxxx:707::ea:0   # DHCPv6 Relay to Windows 2012 DHCPv6 Server to provide clients with IPv6 address, DNS search domain, DNS addresses
  ipv6 dhcp relay address 2001:xxxx:xxxx:707::e9:0   # DHCPv6 Relay to Windows 2012 DHCPv6 Server to provide clients with IPv6 address, DNS search domain, DNS addresses

With the above, we get the following output from "ipconfig /all"

Code Select

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : internaldomain.com
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 7C-05-07-1D-70-2F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxxx:70a::93(Preferred)
   Lease Obtained. . . . . . . . . . : Tuesday, 24 May 2016 8:00:32 AM
   Lease Expires . . . . . . . . . . : Tuesday, 31 May 2016 8:00:34 AM
   Link-local IPv6 Address . . . . . : fe80::1477:d1e:f27b:6b9b%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.104(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, 22 May 2016 5:49:39 PM
   Lease Expires . . . . . . . . . . : Wednesday, 25 May 2016 8:00:31 AM
   Default Gateway . . . . . . . . . : fe80::5:73ff:fea0:f7%5
                                       192.168.10.1
   DHCP Server . . . . . . . . . . . : 192.168.7.234
   DHCPv6 IAID . . . . . . . . . . . : 175899911
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-9D-25-6B-7C-05-07-1D-70-2F
   DNS Servers . . . . . . . . . . . : 2001:xxxx:xxxx:707::e9:0
                                       2001:xxxx:xxxx:707::ea:0
                                       192.168.7.233
                                       192.168.7.234
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       internaldomain.com

srg

#23
May 24, 2016, 12:49:26 AM
Great reference! However, I think that:
Quote from: Dieselboy on May 23, 2016, 09:55:57 PM
  ipv6 nd prefix 2001:xxxx:xxxx:70a::/64 1800 1800 no-autoconfig    # Advertise the IPv6 prefix in ICMPv6 RA messages which clients pick up. The "no-autoconfig" sets the A flag and advises clients not to use SLAAC against this prefix.
actually clears the A flag, not sets it.
som om sinnet hade svartnat för evigt.

Dieselboy

#24
May 24, 2016, 02:26:50 AM Last Edit: May 24, 2016, 03:11:36 AM by Dieselboy
That's what I said ;)

Only joking. I've edited my post to say "clears the A flag". Thanks for pointing out the error.  :rock:
[I ran wireshark to check before posting this]
Print
Go Up Pages 1 2
User actions