Autoconfig

03/08/14

Provisioning IPv6 in a Nutshell v1.0

By Fred Bovy.IPv6 Forum Gold Trainer, Gold Security Trainer, Gold Engineerccie #3013

© Frederic Bovy EIRL. 2014. Page 1

Table of Contents1. Introduction............................................................................................................................................32. Stateless Addresses Autoconfiguration..................................................................................................43. DHCPv6.................................................................................................................................................54. Interface Start-up..................................................................................................................................10

4.1 Link-Local Address acquisition.....................................................................................................104.2. Router Solicitation........................................................................................................................114.3. RA Prefix Option Checking.........................................................................................................134.4. Check if DHCPv6 must be called.................................................................................................15

5. DHCP Prefix Delegation......................................................................................................................16Annex B. Interface Startup.......................................................................................................................18Annex C. Neighbor FSM.........................................................................................................................19Annex D. DHCP Case Study....................................................................................................................20

Illustration IndexIllustration 1: Router Advertisement from FREE Service Provider...........................................................4Illustration 2: DHCPv6 Servers Discovery................................................................................................5Illustration 3: DHCPv6 Reservation or Info Request................................................................................6Illustration 4: IA for Temporary Address...................................................................................................7Illustration 5: DHCPv6 Identity Association for Non-temporary Addresses Option.................................8Illustration 6: IA Address Option...............................................................................................................8Illustration 7: Address/interface State........................................................................................................9Illustration 2: The Interface Startup Algorithm........................................................................................10Illustration 8: Link Local Address acquisition.........................................................................................10Illustration 9: Step 2. Router Solicitation/Advertisement. If There is a Prefix Option we go to A and Return to B...............................................................................................................................................12Illustration 10: RA Prefix checking full Algorithm.................................................................................13Illustration 11: Checking each prefix from the RA Prefix Option...........................................................14Illustration 12: Check if DHCPv6 mudt be called...................................................................................15 Illustration 13: Each DHCP-PD Client receives a /48 prefix that it can subnet for all its LANs and Links.........................................................................................................................................................16Illustration 14: DHCP-PD Lifecycle........................................................................................................17Illustration 15: Interface Startup..............................................................................................................18Illustration 16: IPv6 Provisioning Case Study.........................................................................................20


1. Introduction

IPv6 was designed to be plug and play for the user. It does not mean that no provisioning must be made on the Network Side

Interface start-up follows the same algorithm on all platforms.

IPv6 don't need DHCPv6 as IPv4 but it may be used as a complement to provide additional information or even IPv6 addresses as well but no default Route!

In IPv6 we can have dynamic or static addresses. Static is for Servers and activenetwork nodes like routers.

Dynamic Addresses can be learned from Stateless Address Autoconfiguration, RFC4862 and, or DHCPv6, RFC 3315.

When DHCPv6 is used to learn IPv6 Address it is called Stateful DHCPv6 as the server must keep a state for each lease.

While the Interface is starting up it is in TENTative mode and no IPv6 traffic can take place on such interface.

The dynamic Addresses are in the Preferred State until the Preferred timers expires if not refreshed by a Router Advertisement or a DHCPv6 Renew. In this mode, the addresses can be used for new and existing connections.

When the Preferred Timers expired, the address goes into Deprecated mode where it can only be used by existing connection but not for new ones. If a refreshcomes in, the address comes back to Preferred mode.

So dynamic addresses must be periodically refreshed by periodic RA or DHCPv6 .

It is also possible for DHCPv6 to allocate block of addresses or Prefix that can be subnetted later. This is DHCP Prefix Delegation or DHCP-PD.


http://tools.ietf.org/html/rfc3315#section-18.1.5

http://tools.ietf.org/html/rfc3315#section-18.1.5

http://tools.ietf.org/html/rfc3315



2. Stateless Addresses AutoconfigurationIPv6 does not need a DHCP server to be plug and play for the workstation. Stateless Address Autoconfiguration allows a Workstation or any end node to be fully configured from the local routerinformation.

DHCPv6 can help if some information are not provided by the native IPv6 process, Stateless Address Autoconfiguration.

The addresses are automatically configured from a prefix provided in the Prefix Option of the Router Advertisement in the Neighbor Discovery Protocol. The Router Advertisement can be solicited by a Router Solicitation packet and are periodically multicasted to all IPv6 nodes on a Local Area Network (LAN). The dynamic address is built and must be refreshed by the periodic RA.


Illustration 1: Router Advertisement from FREE Service Provider


3. DHCPv6It is possible to use DHCPv6 instead of Stateless Address Autoconfiguration or to complement it with more information.


Illustration 2: DHCPv6 Servers Discovery



Illustration 3: DHCPv6 Reservation or Info Request

When the Managed bit (M-bit) in the Flag field of the Router Advertisement is set, the IPv6 End nodes knows that it must call DHCPv6 to get Address(es) and Other Information.

When the M-bit is not set but the Other bit (O-bit) is set, the end node knows that it must call DHCPv6 to get information but no address.

The communication between the DHCPv6 Client and Server take place in a 4 way process.First, the client sends a Solicit message. It is sent to a multicast address (FF02::1:2)

received by ALL DHCPv6 SERVERS and RELAYS.

If there is a DHCP Relay is configured without the Unicast of a Server and Multicast is available in the site, the DHCP Relay forward it to FF05::1:3, a multicast address which will find ALL SERVERS of the site.

“An "identityassociation" (IA) is a construct through which a server and a client can identify, group, and manage a set of related IPv6 Addresses. Each IA consists of an IAID and associated configuration information.”

T1 and T2 timers comes with DHCPv6 for Non-Temporary Addresses and must be carefully set so the addresses remain in Preferred mode.


Illustration 4: IA for Temporary Address

When T1 expires the DHCP Client must Renew its Lease. This is for the client to let its current DHCP server know that it want to keep its address.

If T2 expires, the node will try to Rebind which is to find any DHCP server that can provide an address.

T1 and T2 must be set conservatively to avoid the IPv6 address to become Deprecated. T1 and T2 depends on the Valid and Preferred value.


Illustration 6: IA Address Option

Illustration 5: DHCPv6 Identity Association for Non-temporary Addresses Option

http://tools.ietf.org/html/rfc3315#section-22.4

http://tools.ietf.org/html/rfc3315#section-22.4

I would recommend to have T1 set to one third of the Preferred timer value.


Illustration 7: Address/interface State

4. Interface Start-up

4.1 Link-Local Address acquisition

The IPv6 interface will need a Link-Local IPv6 address for any communication on each link.

So the IPv6 node configured for Autoconfig which the default on most end-nodes platforms: Windows, MAC OS X or Linux.

First, for each node, the host computes the 64 bits of the Interface Identifier part of the address from the MAC Address. It just split the 48 bit of the MAC address in two and adds 0xfffe in the middle. Then it checks if the address is unique with


Illustration 2: The Interface Startup Algorithm

Illustration 8: Link Local Address acquisition

DAD procedure:

Then it adds the link-local prefix ffe80:: and we got an IPv6 Link-Local address. This address is not routable it is really local on the link and the address must contain the interface zone to get used. The zone can be an SNMP Index or the Interface name. Example on CISCO Routers:

fe80::90f4:45ff:fe64:36cd%GigabitEthernet0/0/1

Or Windows:

fe80::847f:81ff:feca:239d%15

Once the address built, it is verified for uniqueness. A NS to oneself is sent and we expectno reply for this. If we receive a reply it means that someone is using the address we were planning to use and the interface is disabled for IPv6!

Otherwise after a short timeout with no reply, we assume nobody uses it and we initialise our interface for this address.

The next step is for the workstation to send a request to any router on the LAN. With a Router solicitation message.

4.2. Router SolicitationThe Router Solicitation message is sent to the ALL_IPv6_Routers Multicast address: ff02::2. The Solicited Router Advertisement message is sent ack from local server or in most case it will be relayedby a DHCP Relay.

When it got a reply, it parses the fields which are meaningful for the workstation like the MTU or the Router IPv6 and MAC Addresses. Then it examines the Router Advertisement if there is a Prefix Option. If yes it will examine each prefix to check if it must build an address from the prefix. Flags and Timers with each prefix will tell the router if it must derive an address or not from the prefix.

If no router replies we just try DHCPv6 and exit. See Illustration 2 for more details (Router Advertisement from FREE Service Provider).



Illustration 9: Step 2. Router Solicitation/Advertisement. If There is a Prefix Option we go to A and Return to B.

4.3. RA Prefix Option Checking Each prefix present is checked in the Router Advertisement fields. To get used and derive an address from each prefix the Autonomous bit and the On-Link bit MUST be set, the Valid timer MUST be > 0


Illustration 10: RA Prefix checking full Algorithm

and the Valid MUST

T >= Preferred timer.

It builds an address from each prefix and check if the address is unique with a DAD procedure. A Neigbor Solicitation sent to oneself and then wait a little time to check if somebody else replies. If no, he address is unique and we can initialize it. Otherwise, the address will not be used.

Apr 18 09:57:31: ICMPv6-ND: L3 came up on GigabitEthernet0/2Apr 18 09:57:31: IPv6-Addrmgr-ND: DAD request for 2000:1::1 on GigabitEthernet0/2Apr 18 09:57:31: ICMPv6-ND: Sending NS for 2000:1::1 on GigabitEthernet0/2Apr 18 09:57:32: IPv6-Addrmgr-ND: DAD: 2000:1::1 is unique.Apr 18 09:57:32: ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2Apr 18 09:57:32: IPv6-Address: Address 2000:1::1/64 is up on GigabitEthernet0/2


Illustration 11: Checking each prefix from the RA Prefix Option

4.4. Check if DHCPv6 must be called

Last, we check the Flag field from the Router Advertisement message if we need to call DHCPv6 to get Address(es) and Other information with the Managed Configuration file. This is Statefull DHCP.

If the Managed Configuration file is not set but the Other config flag is set, this is Stateless DHCP configuration. DHCP is used for all information but Address. So we could get addresses from the Prefix Option or the Router Advertisements and get many information from DHCPv6. This is stateless because as we do not reserve a ressource, we do not need to keep a state with the DHCP advertisement.

In other way we could combine addresses learned by Router Advertisements with Addresses learned with DHCPv6.

A few important remarks, thhttp://tools.ietf.org/html/rfc4862e DNS Server addresses can be learned from the Router Advertisement and the default Route cannot be learned from DHCPv6!


Illustration 12: Check if DHCPv6 mudt be called


5. DHCP Prefix Delegation

DHCPv6 can also be used to allocate prefixes.


Illustration 13: Each DHCP-PD Client receives a /48 prefix that it can subnet for all its LANs and Links.

A block of addresses is provided to the Delegating Router which allocates a prefix to eachclient which places a request.

The allocated block follow the same rules than a single address and must be refreshed before T2 expires if you don't want all your derived addresses to be deprecated.


Illustration 14: DHCP-PD Lifecycle

Annex B. Interface Startup


Illustration 15: Interface Startup

Annex C. Neighbor FSM


Drawing 1: Neighbor Cache FSM simplified

Annex D. DHCP Case Study

The Local Router gets its prefix from one subinterface of the trunk. It uses the prefix to configure the LAN interface(s).

It gets its default parameter, addresses and default Gateway from the Stateless Address Autoconfig process.

It gets additional information from DHCPv6 Server as the right bit is set (M-bit or O-bit) in the Flag field of the Router Advertisement.


Illustration 16: IPv6 Provisioning Case Study

Technology

Autoconfig