IPv6 Focus Month: What is changing with DHCP
Among the different methods to configure IPv6 addresses, most managed networks will likely stick with DHCP. DHCPv6 however is a bit different then DHCPv4. We will summarize here some of the basic differences between DHCPv4 and DHCPv6.
DHCPv4 is often used to manage a limited address pool. This problem is not going to be an issue in IPv6, and as a result, the focus of the protocol changes to provide address management and renumbering of hosts. DHCPv6 is also a complete rewrite of the protocol. A lot of the old BOOTP parameters are gone, and the DHCPv6 packet is a simple type-length-value format packet without many of the fixed fields present in DHCPv4
DHCPv6 uses UDP ports 546 and 547, not 67/68 like DHCPv4.
DHCP Unique Identifiers (DUID)
In DHCPv4, hosts are identified by there MAC addresses. However, MAC addresses are Ethernet specific, and other networking technologies may use different identifiers. DHCPv6 introduces a mandatory DUID to identify hosts. Some modern DHCPv4 implementations use an optional DUID, but in DHCPv6, a DUID becomes mandatory.
RFC3315 defines three different methods to assign DUIDs. Most commonly, the time stamp of the first boot of the system, followed by the link layer address (MAC Address for Ethernet) is used as DUID. This is then referred to as DUID-LLT (link-layer address plus time). Other options are vendor assigned DUIDs or the use of the link layer address by itself. The reason to add the time stamp is to distinguish two clients that are connected to the same network, even if they are not connected at the same time (which wouldn't work for Ethernet). The link layer address by itself should only be used for devices without non-volatile storage that are connected permanently to the network.
If a system has multiple network interfaces, all will use the same DUID. To distinguish different interfaces, an identity association (IA) will be used.
If you configure static IP addresses in your DHCP server, you will have to using the DUID and IA to identify the system, not the MAC address. Sadly, different servers use different formats to represent these identifiers, and you need to figure out how to translate the number your host provides into one the server configuration understands.
DHCP and Router Advertisements
At first, it may look like DHCP is an alternative to router advertisements. This is true when it comes to address assignments. But overall, DHCPv6 is an extension to router advertisements, and DHCPv6 will not work without router advertisements. First of all, the "managed" and "other" flags of router advertisements will let the host know to request an address, or other configuration parameters via DHCP. Also, the default gateway will be assigned via router advertisements, not DHCP.
"managed" and "other" flags
If only the "other" flag is set in router advertisements, it indicates that addresses are assigned via router advertisements, but other parameters, like recursive DNS servers, are assigned via DHCP. DHCP will in this case configure everything BUT the address. The "managed" flag on the other hand will tell the host to use DHCP for address configuration as well as to configure additional parameters.
DHCP-PD
For IPv6, ISPs will likely assign /64 or larger networks to each customer. Right now, ISPs usually use DHCP to assign addresses. The customer typically runs a NAT gateway and the external IPv4 address assigned by the ISP is shared within the customer's network. DHCPv6 includes a special mode, "prefix delegation" to allow this architecture for IPv6. Instead of assigning an individual address, DHCP is used to assign a prefix to a router. The router will then typically use router advertisements to advertise this prefix internally and hosts will use these addresses.
Renumbering
With DHCPv4, a host will pick up an address, along with a lease time. Half way through the lease, the host will check if the address is still valid. In addition, the host will request a new address after each reboot. In IPv6, this is still true in principle. However, the DHCP server may initiate renumbering if for example the IPv6 prefix changed. In addition, a host that reboots will first check if the old address is still valid. This behavior is also frequently seen in IPv4, but in IPv6 it is more likely that the old address can be reused.
Did I forget anything? For just a simple network configuration, setting up DHCPv6 isn't all that hard. The part where it gets tricky is if you try to assign static addresses, or multiple addresses to a particular interface.
References: DHCPv6 RFC http://tools.ietf.org/html/rfc3315
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Keywords: dhcpv6 ipv6 focus month
3 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
Diary Archives
Comments
printer
Mar 18th 2013
1 decade ago
jullrich@sans.edu
Mar 19th 2013
1 decade ago
For DHCP-PD, it's just like you stated. I would just clarify that there are two links in question. The "outside" interface of the CPE or customer router still uses SLAAC or DHCPv6 to generate an address for itself. Since the hope with IPv6 is to get away from NAT there needs to be a new method to get a public subnet for the "inside" interface of the CPE/customer router. This is where DHCP-PD comes in. The CPE asks for a delegated prefix via DHCP-PD for its internal networks. This allows the CPE/custsomer router to use dynamic public addressing on both the outside and inside interfaces. The CPE/customer router then turns around and advertises the internal network prefix, DNS servers, and such via SLAAC and/or DHCPv6 to internal nodes.
In regards to renumbering, the fact that all IPv6 interfaces must support multiple addresses can ease the transition. However in terms of actually doing it my impression is this is still a bit of a work in progress. You can use RAs and SLAAC/DHCPv6 with lifetimes to transition. However for infrastructure devices (routers/firewalls/statically addressed systems) and things like ACLs there can still be a fair amount of work. There is much work in the IETF though to help ease the burden, see https://datatracker.ietf.org/wg/6renum/.
Finally to address the question on support for LDAP, Proxies, and Printers - DHCPv6 is extensible with Type-Length-Value tuples. So a server could be configured with a TLV to support these options. If the client is then configured to request these options the server will supply them.
James Small
Mar 19th 2013
1 decade ago