Department of Defense
High Performance Computing Modernization Program

The Dynamic Host Configuration Protocol (DHCP) can automate the configuration of new systems added to networks and improve the management of existing systems on networks using Internet Protocol version 4 (IPv4) and IPv6.

Deploying and configuring DHCP for IPv6 (DHCPv6) is one way to assign addresses on an IPv6-enabled network. DHCPv6 is not just the familiar DHCP for IPv4 (DHCPv4) transliterated into IPv6 – and you need to understand the differences before planning for and deploying DHCPv6.

StateLess Address AutoConfiguration (SLAAC) is another way to assign addresses on an IPv6-enabled network. This CircleID article can help you understand just how different DHCPv6 is from DHCPv4, and how DHCPv6 and SLAAC will change network administration. DHCPv6 comes in 2 flavors: stateless DHCPv6 (originally called DHCPv6 Lite) which uses SLAAC, and stateful DHCPv6 which does not. This presentation can help you decide whether you really need DHCPv6 on your network. (It is not a given.) This article explores the differences between DHCPv4 and stateful DHCPv6.

This article is organized into 5 parts:

  1. Review of basic functionality and terminology for DHCPv6
  2. Review of basic functionality and terminology for SLAAC
  3. Configuration examples for different DHCPv6 clients, servers, and relay agents
  4. Definition and prevention of rogue Router Advertisements (RAs)
  5. Reference documents for DHCPv6.

 

1. Review of DHCPv6

This paper by Benjamin Long at the University of New Hampshire InterOperability Laboratory was written in 2009. It provides a basic overview of DHCPv6 configurations, Domain Name Server (DNS), and Session Interface Protocol (SIP) concepts, defines relevant terminology, and discusses issues to consider when configuring DHCPv6 servers and relay agents, or when deploying cascading relay agents. This paper (part1 and part2) written in 2014 goes into more detail on the creation of client addresses on DHCPv6-enabled networks.


 subnetone

The DHCPv6 server is usually on a different link/subnet than most of its clients. On each link where the DHCPv6 server is not directly connected but clients are present, a router must be configured as a relay agent. That router will typically be the one that also transmits RAs for that link as described by Internet Engineering Task Force (IETF) Request for Comments (RFC) 8106. Depending on the network topology, a series of cascading relay agents (either routers or computers) are configured on the intermediate links between the DHCPv6 server’s link and the clients’ links.

 

2. Review of SLAAC

The article IPv6 Address Management – stateless, stateful, DHCP ... oh, my! discusses basic SLAAC, stateless DHCPv6 + SLAAC and stateful DHCPv6 addressing. Part 1 and part 2 of an article written in 2017 by Tom Coffeen discusses SLAAC addressing in more detail. This article discusses underlying features of IPv6 which enable SLAAC: Neighbor Discovery Protocol (NDP) and Internet Control Message Protocol (ICMP) for IPv6 (ICMPv6). This article describes another underlying feature of IPv6 which enables SLAAC: Extended Unique Identifier (EUI) addressing.

The National Institute of Standards and Technology Special Publication 800-119, Guidelines for the Secure Deployment of IPv6, was written by Sheila Frankel, et al, in 2010. It covers a wide range of subjects about the IPv6 protocol. In particular, section 3.5.4 and sections 4.7 through 4.7.3 (inclusive) discuss selected DHCPv6 and SLAAC topics:

  1. Tradeoffs between use DHCPv6 and SLAAC
  2. RA flag configurations
  3. Exchanges of messages between DHCPv6 server and client
  4. Security ramifications of DHCPv6.

The Samenwerkende Universitaire Reken Faciliteiten Network (SURFNet) IPv6 Deployment In Local Area Networks was written by François Kooman in 2011. It discusses static, SLAAC, and DHCPv6 address assignment mechanisms in more detail than SP800-119. It also discusses static, Recursive DNS Server (RDNSS), and DHCPv6 DNS assignment mechanisms.

 

3. Configuration examples

On the PennState IPv6 Home website, this page provides configuration examples or links to examples for several DHCPv6 servers, including Cisco IOS, Dibbler, ISC, Nominium, and Microsoft Windows. That same page also provides configuration examples or links to examples for a variety of clients, including AIX, FreeBSD, Apple macOS and OS X (w/ Dibbler), Red Hat, Solaris, Ubuntu, and Microsoft Windows (w/ and w/o Dibbler). On the Juniper website, this article provides a configuration example for a Juniper JUNOS DHCPv6 server. This series of articles provides configuration examples for several variations of DHCPv6 on Cisco IOS including: Stateful DHCPv6, Stateless DHCPv6 + SLAAC, Stateful DHCPv6 Relay (rapid commit), and Stateful DHCPv6 Prefix delegation (rapid commit).

On the NetworkWorld website, Rand Morimoto published a series of 8 articles in 2011 about deploying IPv6 in a Microsoft Windows-centric infrastructure. The fourth article, DHCPv6 and Dynamic IPv6 Addresses, describes the configuration of a Windows 2008 R2 (and later) dual-stack DHCP (DHCPv6 in addition to legacy DHCPv4) server and its clients while an (unrelated) article describes the configuration of a Windows 2012 (and later) dual-stack DHCP server. Maintaining pre-assigned static IPv6 addresses for routers and other infrastructure elements (DHCP Reservations), and how to set up more than one DHCP server are also covered. (All 8 articles in the series are discussed in more detail in the Enabling IPv6 in Microsoft Windows Environment article under the Infrastructure section.)

Relay agent configurations for Nokia (formerly Alcatel-Lucent) routers are described in this article, for Extreme Networks (formerly Brocade) NetIron routers in this article (page 397), for Cisco IOS routers in this article, for Juniper JUNOS routers in this article, for Linux computers using dhcp6r or rtadvd, and for Microsoft Windows computers in this article. Additional relay agent configurations for Cisco Control And Provisioning of Wireless Access Points (CAPWAP) Access Controller (DHCPv6 Option 52 per RFC 5417), DHCPv6 Client Link-Layer Address Option per RFC 6939, and DNS Search List (DNSSL) Option per RFC 6106 are described in this article .

4. Definition and Prevention of rogue Router Advertisements

On every link, there should be only one relay agent transmitting RAs. Whether by accident or malice, RAs transmitted by any unauthorized relay agent are called rogue RAs. By usurping the role of the relay agent authorized to send out RAs, such rogue RAs cause confusion and misconfiguration of other systems on the link. Rogue RAs are described in more detail by RFC 6104. Various vendors are actively implementing RA Guard, described by RFC 6105, to make it easier to detect and block Rogue RAs. RFC 7113, an update to RFC 6105, suggests ways to mitigate attempts to circumvent RA Guard.

A frequent source of accidental rogue RAs is the addition of a Microsoft Windows system that has Internet Connection Sharing enabled to an existing network, as discussed in the Windows Internet Connection Sharing (ICS) article in the Security section. Additional causes of rogue RAs and approaches to dealing with them are described in Section 5.2 of Nippon Telegraph and Telephone (NTT) Information Sharing Platform Laboratories Deploying IPv6: Problems and Solutions.

This Cisco whitepaper provides an in-depth description of the situation and suggests ways to detect and prevent rogue RAs. On the PennState IPv6 Home website, the IPv6 Security web page describes general IPv6 security techniques. In particular, the RA filtering and Rogue DHCPv6 server sections of that web page provide RA filtering or blocking suggestions for Cisco, HP, Juniper, and 3Com routers. This article discusses disabling RAs on both routers and hosts.

5. Reference documents

  1. Nokia (formerly Alcatel-Lucent) OS
  2. Extreme Neworks (Formerly Brocade) NetIron IPv6 Configuration (page 139)
  3. Cisco IOS
  4. Juniper JUNOS 
  5. Oracle Solaris

Top