Using DHCP Option 108 to Disable IPv4
Achieving IPv6-Only Networks
Some large enterprises are now considering how to configure an IPv6-only network environment. They have a desire to reduce the OPEX costs of maintaining two protocols simultaneously and realize the simplicity of running a single protocol in the environment. They recognize that IPv6 addressing, operationally speaking, is much simpler than IPv4 subnetting. With IPv6-only, enterprises can avoid the complexity and cost of buying, operating, and troubleshooting NAT/CGN/LSN systems. Organizations reduce their dependence on increasingly expensive IPv4 addresses or potentially facilitate their sale of public IPv4 address resources at peak prices. It has been observed that, on average, IPv6 performs better than IPv4 across the Internet, which can provide an improvement to end-user experience. Enterprises striving to meet a government mandate or that have plans for a Disable IPv4 Flag Day are looking for ways to run solely IPv6.
These enterprises are looking at their far-flung networks for where they can run IPv6-only. Examples of this are where organizations don’t have IPv4 dependencies, or where they have tight controls on the network configuration, or have a lot of end-node devices, or perhaps they have current or updated software that does not have IPv4 dependencies at all. End-user and guest wired and wireless access networks could be considered. In fact, this is a preferred network type for U.S. Federal organizations striving to meet the OMB mandate and the 20%/50%/80% IPv6-only node percentages it requires. Data centers could also be an option where all servers on the same VLAN do not need IPv4 to function. Cloud environments are another consideration. However, most CSPs don’t allow for IPv6-only operation. (Note, however, that AWS did recently announce support for IPv6-only subnets.) Out-of-Band (OOB) Management networks are another type of network with specific protocols and limited device types.
An enterprise must also recognize that there are requirements for operating IPv6-only access networks. They must have contiguous IPv6 connectivity directly through the core network and out the perimeter to the Internet. They must have IPv6-enabled DNS services and likely need DHCPv6 services, too. The enterprise would need IPv6-enabled shared services (AAA, SSO, PKI, CA, vulnerability scanning, etc.) and other IPv6 security protection measures to protect the IPv6-only desktops. They must also have some method of allowing IPv6-only nodes to reach legacy IPv4-only services (e.g., DNS64/NAT64 or SLB64).
Methods of Disabling IPv4
These enterprises may be familiar with the methods of enabling IPv6 along with leaving IPv4 enabled to create a dual-protocol network. However, they may not be as familiar with the methods to disable IPv4 so that IPv6 is the single protocol running on a network.
There are several configuration options such as static or dynamic IPv6 address assignment on nodes without setting up an IPv4 address statically or using DHCP. This could involve disabling IPv4 in the kernel or on a specific interface manually, one node at a time. This might be feasible in a limited lab environment or a server farm, but it is not feasible in a large population of end-user or guest access networks. Another option is to use host-based filters to block IPv4 packets.
In terms of automated configuration methods, an organization can use software-driven configuration management (e.g., an Ansible playbook deploying the manual settings above to many nodes). This is just a matter of applying the manual disablement of IPv4 to many systems using an automated configuration tool.
Another automated method is to signal IPv6-only network operations in the ICMPv6 Router Advertisement (RA). However, this method isn’t feasible because vendors never implemented this feature and the IETF draft is now expired. Furthermore, even if this became an approved RFC today, it would take years to get implemented in routers and all end-host OSs.
Finally, we arrive at the option that is feasible to implement, which is the method detailed in the IETF RFC titled “IPv6-Only Preferred Option for DHCPv4” (RFC 8925).
DHCP Option 108
The IPv6-Only Preferred Option for DHCPv4 (RFC 8925) specifies a method to use a DHCP option (delivered over IPv4) to disable the IPv4 protocol on a host (resulting in it being IPv6-only). DHCP Option 108 contains a 32-bit unsigned integer that represents the number of seconds the client should disable DHCPv4. Following are the timers that are defined in the RFC:
- V6ONLY_WAIT (default = 1800 seconds, 30 min)
- MIN_V6ONLY_WAIT (default = 300 seconds, 5 min)
In the example below, a timer of 300 seconds is configured to simplify functionality testing in a lab environment. In a production environment, an enterprise may elect to set the value to 3600 seconds (1 hour) or possibly even longer.
Configuring this Option on Infoblox vNIOS
DHCP Option 108 can be easily configured on an Infoblox vNIOS system running a DHCP service. To do this, one would configure a DHCP server as usual and configure IPv4 networks and a DHCP scope range for those networks.
The next step is to configure the custom DHCP option 108 on Infoblox vNIOS 8.6.2. This is performed just like the configuration of other custom DHCP options. Open the Infoblox web interface and click on the Data Management tab. Navigate to the DHCP menu and select “Option Spaces” for “DHCP (IPv4)” and click the edit button and then click the “+” icon to add an option. Enter the “Name” (we’ve chosen IPv6-Only), enter the “Code” (108 is the option number), and then enter the “Type” (32-bit unsigned integer). Following is a screen shot of the resulting DHCP (Option Space) configuration.
The next step is to apply this new DHCP option 108 to the DHCP scope for a particular network. Once again, navigate to the Data Management tab, select the “DHCP” service, select “Networks” and select the particular IPv4 subnet on which to configure this option. Click on the edit button, then select “IPv4 DHCP Options”, then select the DHCP Option 108 we configured earlier and set the time value. In the following picture the timer of 300 seconds was chosen for this test. Finally, click on “Save & Close” and restart the Infoblox services.
The next step is to update the first-hop router to enable IPv6 on the VLAN, but also use an IPv4 address and configure the “ip helper” DHCP relay, which will point to the Infoblox vNIOS appliance. The following is an example configuration for a Cisco IOS router functioning as the IPv4 DHCP relay and the IPv6-only first-hop router.
- ip address 192.168.12.1 255.255.255.0
- ip helper-address 192.168.11.21
- ipv6 address FE80::12 link-local
- ipv6 address 2001:DB8:12:12::1/64
- ipv6 nd ra dns server 2001:DB8:11:11::6
Now comes the time to connect the end-user devices to this network and observe their behavior. On the Infoblox vNIOS system DHCP scope, one can observe devices that receive DHCP IPv4 address leases. These are devices that ignore Option 108.
With Infoblox as the DHCP server offering Option 108 you will observe that only some end-user host operating systems will actually receive this DHCP option and disable their IPv4 addresses on their interfaces:
- Apple macOS computers
- Apple iOS 16.0.3 and even Apple iOS 15.7 running on older devices
- Android 12 (and presumably Android 13)
There are many modern host operating systems that ignore DHCP Option 108 and proceed to obtain an IPv4 address lease from the Infoblox DHCP server:
- Windows 10 and Windows 11
- ChromeOS (using its container IPv4 address)
- Various Linux distributions (Ubuntu 22.04.1, CentOS Stream 8, Debian 10/11, Fedora 36, among others)
The advantage of DHCP Option 108 is having the ability to turn off IPv4 on many nodes all at once. It is easy to configure this option for numerous end-user access segments. The disadvantage of this method is that one still needs to configure a DHCP scope and configure IPv4 on the local router and relay. And many operating systems still do not honor option 108. Taking the additional step of turning off Automatic Private IP Addressing (APIPA) 169.254.0.0/16 address may not make much of a difference and only works on a few OSes today.
Operating IPv6-only certainly has its advantages. More organizations will be looking for methods to manage their IT environments using a single protocol (IPv6) to improve operational simplicity and remove barriers imposed by IPv4. However, many IPv4 dependencies still exist in enterprise IT environments.
The IPv6 protocol continues to evolve, and the management mechanisms enterprises utilize will change as we move toward the IPv6-only future. Determining how best to disable IPv4 takes some careful consideration and lab testing prior to implementation. Automated methods of disabling IPv4 are evolving as more host OSes will support DHCP Option 108.
For more information and discussion around this IPv6-Only DHCP Option 108, you can listen to the Packet Pushers IPv6 Buzz podcast titled “IPv6 Buzz 110: The Peculiar Power Of DHCPv6 Option 108”.