Here’s the third entry of Cisco Press author and chair of the Rocky Mountain IPv6 Task Force Scott Hogg’s multi-part blog on IPv6 addressing. This week: stateless and stateful DHCPv6. Thanks Scott! -Tom
Another option is to have the client computers perform SLAAC but then use Stateless DHCPv6 to provide other information, such as DNS server, domain name, SIP server, to the clients. Stateless DHCPv6 Service for IPv6 is sometimes called DHCPv6 Lite. This approach is defined in RFC 3736, Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6.
With Stateless DHCPv6, the client node performs SLAAC for its IPv6 address assignment and then sends DHCP Information Request and then router responds with a Reply message with info. DHCPv6-Lite can be performed easily on the local router. Cisco routers can perform Stateless DHCPv6 on their LAN interfaces.
The technique that most organizations prefer in many cases is to use Dynamic Host Configuration Protocol version 6 (DHCPv6) similarly to the way that DHCP is used within their networks for IPv4 address assignment. This protocol is specified in RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6).
DHCPv6 operation starts with the router sending an ICMPv6 Router Advertisement (RA) message that indicates to nodes on the network that they should use DHCPv6 as their method of dynamic address configuration. The RA messages contain several bits (A, M, O, L bits) that indicate to the node how it should obtain its IPv6 address. This document has already covered the Address Autoconfiguration bit.
The Managed Address Configuration Flag (M-flag or M-bit) determines if the host should use DHCPv6. When set to 1 it tells hosts to get stateful address through DHCPv6.
The Other Stateful Configuration Flag (O-flag or O-bit) determines if the node should use DHCPv6 for other configuration information. When set to 1 it tells host to use DHCPv6 to get other configuration data. The O-bit is set to 1 for Stateless-DHCPv6 (DHCPv6-Lite) as described above.
Following is a list of the typical combinations of address configuration bits set within the RA message sent by the local router.
- A=1, M=0, O=0
o End host uses stateless auto-configuration
- A=1, M=0, O=1
o End host uses SLAAC and stateless DHCPv6, autoconfigured address but DNS and other information is added with DHCPv6 (i.e. from a router)
- A=0, M=1, O=1
o End host uses DHCPv6 for all information
After the node receives the RA message indicating that the node use DHCPv6 then the node sends a DHCPv6 Solicit message to the DHCPv6 multicast address. There are several DHCPv6 Messages defined in the standard: Solicit, Advertise, Request, Confirm, Renew, Rebind, Decline, Info-Request, Reply, Reconfigure. DHCPv6 clients listen on UDP port 546 and DHCPv6 servers and relay agents listen on UDP port 547.
All_DHCP_Relay_Agents_and_Servers (FF02::1:2) – link-local scope
A link-scoped multicast address used by a client to communicate with neighboring (i.e., on-link) relay agents and servers. All servers and relay agents are members of this multicast group.
All_DHCP_Servers (FF05::1:3) – site-local scope
A site-scoped multicast address used by a relay agent to communicate with servers, either because the relay agent wants to send messages to all servers or because it does not know the unicast addresses of the servers. Note that in order for a relay agent to use this address, it must have an address of sufficient scope to be reachable by the servers. All servers within the site are members of this multicast group.
An advantage of DHCPv6 for dynamic address assignment is that it is capable of providing additional information to the nodes. DHCPv6 provides DNS information and uses a 16-bit option space. These options are useful for devices like IP phones.
If IPv6 addresses are dynamically assigned sequentially starting a ::2, then ::3, then ::4 and onward, then reconnaissance of the network is trivial for an attacker. However, an attacker would also find it nearly impossible to perform scanning of an entire /64 subnet to see if leased addresses are given out randomly. Most DHCPv6 servers now use randomized node identifiers. This helps prevent reconnaissance and duplicate address assignment.
DHCPv6 servers that assign randomized interface identifiers to end-node devices aid in the protection of the network from attacker reconnaissance attempts. Therefore, organizations should use DHCPv6 servers that are capable of providing randomized interface identifiers to lease requests. They should use randomly-determined node identifiers for all IPv6 nodes at the expense of increasing the operational cost.
Up next: dealing with IPv6 privacy (aka temporary) addresses.