It is often considered a best practice to match the operational model of IPv6 to that of the legacy protocol IPv4. For example, in a data center or cloud environment, you may be statically assigning IPv4 addresses to servers and instances. It makes sense, then, to statically assign IPv6 addresses too. And if an organization is using DHCP (RFC 2131) to lease IPv4 addresses to end-nodes, then it is logical that they would use DHCPv6 (RFC 8415) to lease IPv6 address Interface Identifiers (the IID is the last 64-bits of a 128-bit IPv6 address) to end-nodes.
How long are typical DHCP lease times for IPv4?
Due to the scarcity of IPv4 addresses, many organizations set relatively short lease times on their wired and wireless access networks. Wireless access networks tend to have shorter lease times than internal corporate wired ports. With so many end-user mobile devices coming and going, it is easy to fill up a /24 scope in less than a single workday. Furthermore, wireless guest access would have the shortest lease times. Imagine a stadium Wi-Fi network and the huge numbers of mobile devices connected. It could have a DHCP lease time as brief as one hour.
Service provider networks use DHCP to lease public IPv4 addresses to residential subscriber routers. For these broadband Internet access networks, DHCP lease times can be anywhere in duration from one day to a whole week. Further, the public IPv4 address on the outside of the home router may not change for years and appears virtually static in nature. However, other service providers configure DHCP so that the public address changes frequently. Tech-savvy subscribers that want to access home networks from the Internet may use Dynamic DNS (DDNS) to keep DNS records updated when these addresses change frequently.
Depending on the brand of DHCP software being used, the default lease durations can vary widely. For example:
- Infoblox NIOS appliances use 43,200 seconds (12 hours) as their default lease time.
- The ISC DHCP Server has a default lease time of 21,600 seconds (6 hours).
- Cisco IOS routers have one day (86,400 seconds) as their default lease time.
- Windows Server 2019 uses a default lease time of 8 days (or 691,200 seconds!).
We see that the default lease times range widely with different DHCP server software. Therefore, it is good to be aware of the defaults and configure them appropriately depending on the type of network scope, the type of network, the number of end-nodes, and the desired rate of change. Other types of DHCP servers may have different lease times. For example, my residential Internet router’s home internal interface embedded DHCP server uses a lease time of 3 hours. It could potentially be configured for a much longer lease time because a typical household doesn’t have a large number of wireless devices or a high frequency of new endpoints.
How is IPv6 different?
IPv4 and IPv6 share some characteristics in terms of basic protocol structure, but there are many ways, both obvious and subtle, in which they are different. Deploying IPv6 doesn’t change the number of VLANs or the number of access networks in the topology. We are most often simply adding IPv6 on top of an existing network topology already running IPv4. And when it comes to DHCPv6, we should consider how many IPv6 nodes we will have on an access network. However, IPv6 won’t change the number of hosts on a network, but rather, all these nodes will run both IPv4 and IPv6 simultaneously.
When configuring a DHCP scope, assuming a /24 subnet, it is customary to exclude a few addresses at the low end (e.g. .1 to .10), to account for the local router(s) and some static servers. This leaves the remaining addresses in the .11 to .254 range available for leases. When it comes to DHCPv6, the scope range can be from :0000:0000:0000:0000 to :ffff:ffff:ffff:ffff. A /64 prefix can theoretically support 2^64 nodes (18,446,744,073,709,551,616), or 18 quintillion. It is customary to configure the router’s static IPv6 interface address use the /64 prefix with a ::1 IID (e.g., 2001:db8:100:200::1). The odds of the lease address colliding with the local router’s ::1 IID are incredibly low so it is not even worth worrying about.
Even though there should likely be the same number of IPv4 nodes as IPv6 nodes on a dual-protocol access network, the DHCP(v4) and DHCPv6 lease times can vary. Due to the scarcity of IPv4 addresses, the lease times are typically configured to be short. By comparison, given the abundance of IPv6 addresses, lease times can be configured to be much longer. For example, DHCPv6 scope lease times could be a month or longer. With DHCPv6, the limiting factor is the number of DHCPv6 client DHCP Unique Identifiers (DUIDs) that are stored on the DHCPv6 server. However, this isn’t a problem on today’s networks, where there are typically fewer than 200 nodes on any /24 IPv4 subnet.
There are many other subtle aspects of DHCPv6 that differ from the DHCP for IPv4 that we are already familiar with. The obvious difference is that IPv6 routers use an ICMPv6 type 134 Router Advertisement (RA) message to indicate to nodes that they should use DHCPv6. IPv4 nodes just send out a UDP broadcast message for the local router to relay to the DHCP server, or to be served by a local DHCP server. Also, DHCP for IPv4 uses the four stateful messages Discover/Offer/Request/Acknowledge (DORA) for obtaining a lease, while DHCPv6 uses Solicit/Advertise/Request/Reply (SARR) message names for the same functions. For another example, we know that DHCPv6 clients use a DHCP Unique Identifier (DUID) (RFC 6355), which can be different than DHCP(v4) (which uses a link-layer MAC address for the client identifier). DHCPv6 servers also use different configurations for high availability as compared with IPv4 DHCP. Finally, the format of creating a static reservation is different between DHCP and DHCPv6.
We should also note that end-nodes perform a renewal of their lease halfway through the lease duration. If the lease time was 8 hours, then at 4 hours, the node would send a DHCPREQUEST unicast message to the DHCP server, which sends back a DHCPACK unicast message confirming the renewal. DHCPv6 uses different names than IPv4 DHCP for message types. When an end-node wants to extend its lease lifetime, it sends a RENEW message to the server and the server replies with a REPLY message.
IPv6 Preferred and Valid Lifetime
As specified by the Neighbor Discovery Protocol (NDP, described in RFC 4861), access network routers typically multicast ICMPv6 type 134 Router Advertisements (RA) to all nodes on the local network every 200 seconds. RAs are also sent by routers to new hosts joining the network. These new hosts use multicast to send an ICMPv6 type 133 Router Solicitation (RS) to all local routers. The RA contains the network prefix (typically the first 64 bits of the 128-bit IPv6 address), other information for the end-nodes about this network, and how they should obtain their IID. To indicate to the end-nodes they should only use DHCPv6, the Managed Address Configuration Flag (M-flag) is set to “1” and the Autonomous Address Configuration flag (A-flag) is set to “0”.
The RA also contains a “Router Lifetime”, a “Reachable Time” and a “Retrans Timer” for nodes to use when checking if their local router is operational. The RA also contains information about the /64 prefix being used on the local network. As their names suggest, the “Valid Lifetime” specifies the number of seconds that this prefix will be used on this network, and the “Preferred Lifetime” specifies the number of seconds that this prefix is preferred for use when the RA indicates that Stateless Address Auto-Configuration (SLAAC) is used. The Preferred Lifetime can never be longer than the Valid Lifetime. On a Cisco IOS router, these times can be adjusted with the “ipv6 nd prefix” command. DHCPv6 scopes can also be configured with valid and preferred lifetimes. While the valid and preferred lifetimes sent by the RA have a similar function to the valid and preferred lifetimes sent by a DHCPv6 server, they could potentially be different values.
Now, let’s compare the default DHCPv6 preferred and valid lifetimes for various DHCPv6 servers.
- Infoblox NIOS
- The preferred lifetime is 27,000 seconds (7.5 hours).
- The valid lifetime is 43,200 seconds (12 hours).
- ISC DHCPv6
- The preferred lifetime defaults to 5/8 of the default lease time (27,000 seconds, or 7.5 hours).
- The default lease time is 43,200 seconds (same as the DHCPv6 valid lease time—12 hours).
- Cisco IOS Router
- The preferred lifetime is 604,800 seconds (7 days).
- The valid lifetime is 2,592,000 seconds (30 days).
- Windows Server 2019
- The preferred lifetime default value is 8 days.
- The valid lifetime default value is 12 days.
Again, we see that, depending on the DHCP server software being used, the valid and preferred lifetime values can vary widely.
Scope Exhaustion Attacks
Another consideration for DHCPv6 lease times is how an attacker could request multiple leases and consume all the available addresses in the lease pool. It is pretty easy to perform a DHCP scope consumption attack, and with only ~250 IPv4 addresses in the scope (half of which may already be actively leased), the attack could succeed in just a few seconds. In fact, many organizations inadvertently experience this occurrence on a daily basis when their IPv4 scopes fill up and they need to reduce lease duration.
With IPv6, DHCPv6 scopes are massive and would never fill up with regular use. The DHCPv6 lease consumption attack could still occur if the attacker generated random DUIDs and continuously requested additional leases (via the DHCPv6 relay) from the DHCPv6 server. Though it wouldn’t take place as quickly as with DHCP, it could still have devastating effects on the DHCPv6 server: The DHCPv6 server’s database could overflow with all of the bindings of DUIDs to IPv6 IIDs and lease information. Therefore, DHCPv6 servers may require some upper limit (e.g., 10,000 leases per /64 prefix) or rate-limiting to prevent such an attack from occurring.
It is important to understand these differences and decide how best to deploy DHCPv6 for your organization based on the type of network on which you are configuring IPv6. Your DHCPv6 lease times can be far longer than your DHCP lease times, but many of the other operational aspects of DHCP and DHCPv6 are similar.