Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: IPv6 Focus Month: What is changing with DHCP - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IPv6 Focus Month: What is changing with DHCP

 

   Among the different methods to configure IPv6 addresses, most managed networks will likely stick with DHCP. DHCPv6 however is a bit different then DHCPv4. We will summarize here some of the basic differences between DHCPv4 and DHCPv6.
 
   DHCPv4 is often used to manage a limited address pool. This problem is not going to be an issue in IPv6, and as a result, the focus of the protocol changes to provide address management and renumbering of hosts. DHCPv6 is also a complete rewrite of the protocol. A lot of the old BOOTP parameters are gone, and the DHCPv6 packet is a simple type-length-value format packet without many of the fixed fields present in DHCPv4
 
   DHCPv6 uses UDP ports 546 and 547, not 67/68 like DHCPv4.

DHCP Unique Identifiers (DUID)

   In DHCPv4, hosts are identified by there MAC addresses. However, MAC addresses are Ethernet specific, and other networking technologies may use different identifiers. DHCPv6 introduces a mandatory DUID to identify hosts. Some modern DHCPv4 implementations use an optional DUID, but in DHCPv6, a DUID becomes mandatory.
 
   RFC3315 defines three different methods to assign DUIDs. Most commonly, the time stamp of the first boot of the system, followed by the link layer address (MAC Address for Ethernet) is used as DUID. This is then referred to as DUID-LLT (link-layer address plus time). Other options are vendor assigned DUIDs or the use of the link layer address by itself. The reason to add the time stamp is to distinguish two clients that are connected to the same network, even if they are not connected at the same time (which wouldn't work for Ethernet). The link layer address by itself should only be used for devices without non-volatile storage that are connected permanently to the network.
 
   If a system has multiple network interfaces, all will use the same DUID. To distinguish different interfaces, an identity association (IA) will be used.
 
   If you configure static IP addresses in your DHCP server, you will have to using the DUID and IA to identify the system, not the MAC address. Sadly, different servers use different formats to represent these identifiers, and you need to figure out how to translate the number your host provides into one the server configuration understands.

DHCP and Router Advertisements

   At first, it may look like DHCP is an alternative to router advertisements. This is true when it comes to address assignments. But overall, DHCPv6 is an extension to router advertisements, and DHCPv6 will not work without router advertisements. First of all, the "managed" and "other" flags of router advertisements will let the host know to request an address, or other configuration parameters via DHCP. Also, the default gateway will be assigned via router advertisements, not DHCP.

"managed" and "other" flags

   If only the "other" flag is set in router advertisements, it indicates that addresses are assigned via router advertisements, but other parameters, like recursive DNS servers, are assigned via DHCP. DHCP will in this case configure everything BUT the address. The "managed" flag on the other hand will tell the host to use DHCP for address configuration as well as to configure additional parameters.

DHCP-PD

   For IPv6, ISPs will likely assign /64 or larger networks to each customer. Right now, ISPs usually use DHCP to assign addresses. The customer typically runs a NAT gateway and the external IPv4 address assigned by the ISP is shared within the customer's network. DHCPv6 includes a special mode, "prefix delegation" to allow this architecture for IPv6. Instead of assigning an individual address, DHCP is used to assign a prefix to a router. The router will then typically use router advertisements to advertise this prefix internally and hosts will use these addresses.

Renumbering

    With DHCPv4, a host will pick up an address, along with a lease time. Half way through the lease, the host will check if the address is still valid. In addition, the host will request a new address after each reboot. In IPv6, this is still true in principle. However, the DHCP server may initiate renumbering if for example the IPv6 prefix changed. In addition, a host that reboots will first check if the old address is still valid. This behavior is also frequently seen in IPv4, but in IPv6 it is more likely that the old address can be reused.
 
Did I forget anything? For just a simple network configuration, setting up DHCPv6 isn't all that hard. The part where it gets tricky is if you try to assign static addresses, or multiple addresses to a particular interface.
 
References: DHCPv6 RFC http://tools.ietf.org/html/rfc3315

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3481 Posts
ISC Handler
I hope that information about printers, Ldap and proxies can be inserted in the DHCPv6 protocol.
Anonymous
For a complete list of DHCPv6 options, see iana.org/assignments/dhcpv6-parameters/… (with links to respective RFCs).
Johannes

3481 Posts
ISC Handler
Hello Johannes, nice overview. I wanted to add a few comments based on my understanding. In regards to DHCPv6 and RAs these are more complimentary. RAs are a way for the local router to tell hosts how to use the L2 adjacent network. For example, in an RA the router can tell hosts what the link MTU is, which subnets are "on-link" or L2 adjacent, whether or not they can use advertised prefixes for SLAAC, and if they should use a DHCPv6 server for addressing or additional information. As for using RAs for advertising the default router - this provides a more robust way to deal with router replacement/failure then advertising this value from a centralized DHCPv6 server. It also allows for multiple "default gateways" with the same or different preferences for better availability.

For DHCP-PD, it's just like you stated. I would just clarify that there are two links in question. The "outside" interface of the CPE or customer router still uses SLAAC or DHCPv6 to generate an address for itself. Since the hope with IPv6 is to get away from NAT there needs to be a new method to get a public subnet for the "inside" interface of the CPE/customer router. This is where DHCP-PD comes in. The CPE asks for a delegated prefix via DHCP-PD for its internal networks. This allows the CPE/custsomer router to use dynamic public addressing on both the outside and inside interfaces. The CPE/customer router then turns around and advertises the internal network prefix, DNS servers, and such via SLAAC and/or DHCPv6 to internal nodes.

In regards to renumbering, the fact that all IPv6 interfaces must support multiple addresses can ease the transition. However in terms of actually doing it my impression is this is still a bit of a work in progress. You can use RAs and SLAAC/DHCPv6 with lifetimes to transition. However for infrastructure devices (routers/firewalls/statically addressed systems) and things like ACLs there can still be a fair amount of work. There is much work in the IETF though to help ease the burden, see https://datatracker.ietf.org/wg/6renum/.

Finally to address the question on support for LDAP, Proxies, and Printers - DHCPv6 is extensible with Type-Length-Value tuples. So a server could be configured with a TLV to support these options. If the client is then configured to request these options the server will supply them.
Johannes
5 Posts

Sign Up for Free or Log In to start participating in the conversation!