IPv6 Stateless Autoconfiguration – enostavna razlaga.

Na forumih se včasih pojavijo zanimive razlage raznih delov IPv6 protokola, tokrat sem naletel na post, v katerem Lawrence Hughes iz podjetja Infoweapons razlaga novincem v IPv6 svetu, kako deluje SLAAC. Zanimivo branje, predvsem za novince…

Zaradi originalnosti bom tu ponovil kar tekst v angleškem jeziku:

Basically, nodes do SLAAC by default.

Step 1: generate a 64-bit “interface identifier” (low 64 bits of an IPv6 address) – using either EUI64 (create from 48-bit MAC address) or randomized interface identifier (chosen at random from 2**64 possible values) – which depends on node configuration. say it is 1:2:3:4.

Step 2: create link-local node address using ii from step 1, by prepending fe80 to it, say fe80::1:2:3:4.

Step 3: send Router Solicitation msg to all routers on local link multicast address, if no response, SLAAC ends with only link-local address generated

Step 4: if you get back at least one Router Advertisement msg to your RS msg (step 3), then determine use link local address of one of them as your default gateway, and if at least one 64-bit prefix is returned (say 2001:db8:1000:2000::/64), then also generate a global unicast address using ii from step 1, say 2001:db8:1000:2000:1:2:3:4. This is done for each unique 64-bit prefix returned by router(s) that responded.

Step 5: check RA msg for M and O bits. If M=1, then there is a stateful DHCPv6 server (or relay agent) on the local link. If so, send request to all DHCPv6 servers/relay agents on local link multicast address, obtain another unique global unicast address and various stateless info (IPv6 address of DNS, etc). SLAAC complete.

If M=0, but O=1, there is a stateless DHCPv6 server (or relay agent). Send request to all DHCPv6 server/relay agent multicast address and get stateless info (IPv6 address of DNS, etc). SLAAC complete.

If both M=0 and O=1, there is no DHCPv6 available, SLAAC complete.

DHCPv6 never supplies default gateway, subnet mask, etc.

Most nodes have no way to prevent SLAAC from working, although on some if you configure a static IPv6 global address manually, SLAAC does not work (e.g. FreeBSD). This appears to be not compliant with RFCs. With Windows or Linux, even if you manually specify a static address, they still do SLAAC, and get default gateway and a SLAAC node address.

DHCPv6 can only work if SLAAC works (otherwise it won’t know setting of M and O bits from RA msg). In theory a node could contact DHCPv6 without using SLAAC, but it would not be able to get default gateway, and this is not in compliance with RFCs.

So, in general (except in FreeBSD), if you configure a global address manually, and there is a stateful DHCPv6 server available, you will get (at least) 3 distinct global IPv6 addresses (at least one from SLAAC, one from manual, and one from DHCPv6 stateful). Windows Vista/7 by default gets TWO global addresses from SLAAC – one permanent and one temporary. All these are IN ADDITION to link local address the node creates automatically.

Next hop is ALWAYS link local. If target is on-link, link-local will always work. If target is off-link, it will use default gateway address for next hop, which should always be link-local. Exception is if you manually configure a global unicast default gateway (not generally a good idea, but it will work). ND address resolution usally maps link-local addresses onto link-layer (MAC) addresses.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hughesnet.local
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 00-22-15-24-32-9C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:470:3d:3000::2:1(Preferred)
Lease Obtained. . . . . . . . . . : Thursday, March 24, 2011 7:21:19 PM
Lease Expires . . . . . . . . . . : Tuesday, April 05, 2011 7:28:01 PM
IPv6 Address. . . . . . . . . . . : 2001:470:3d:3000:222:15ff:fe24:329c(Prefe
rred)
IPv6 Address. . . . . . . . . . . : 2001:470:3d:3000:9201:9970:fbe8:4662(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::222:15ff:fe24:329c%11(Preferred)
IPv4 Address. . . . . . . . . . . : 172.20.2.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Sunday, March 20, 2011 6:59:57 PM
Lease Expires . . . . . . . . . . : Tuesday, March 29, 2011 7:21:19 PM
Default Gateway . . . . . . . . . : 2001:470:3d:3000::1
fe80::21b:21ff:fe1d:c159%11
172.20.0.1
DHCP Server . . . . . . . . . . . : 172.20.0.11
DHCPv6 IAID . . . . . . . . . . . : 218112533
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-99-BD-28-00-22-15-24-32-9C

DNS Servers . . . . . . . . . . . : 2001:470:3d:3000::11
2001:470:3d:3000::12
172.20.0.11
172.20.0.12
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
hughesnet.local

subnet prefix for my network is 2001:470:3d:3000::/64 (from RA msg during SLAAC)

My MAC address is 00-22-15-24-32-9C, so EUI64 ii is ::222:15ff:fe24:329c

First global IPv6 address listed came from DHCPv6 stateful (2001:470:3d:3000::2:1)
DHCPv6 was configured with pool 2001:470:3d:3000::2:1 to 2001:470:3d:3000::2:ffff
address is from DHCPv6, so it is counting down, but still in preferred state (preferred
counter and valid counter still both > 0).

Next two global IPv6 addresses came from SLAAC (I configured my Win7 to use EUI-64, by default it uses randomized, so first one is from EUI64, second is temporary, randomized).
First address is subnet prefix followed by EUI64: 2001:470:3d:3000:222:15ff:fe24:329c
Second is subnet prefix followed by random ii: 2001:470:3d:3000:9201:9970:fbe8:4662

Both addresses are generated, so both start timing out, but are currently in “preferred”
state (preferred counter and valid counter still both > 0).

Default gateway (fe80::21b:21ff:fe1d:c159%11) comes from SLAAC, link local

The two IPv6 addresses of DNS are from stateless DHCPv6 (not manually configured)

All IPv4 configuration info came from DHCPv4.

No IPv6 global address was manually configured.

StateLess Auto Address Configuration (SLAAC) is always STATELESS (hence the name). No information has to be kept between configurations, or once a configuration is done (at least by the router advertisement daemon or the routers).

DHCPv6 can be STATELESS (only provides information that is the same for all nodes, like IPv6 addresses of DNS) or STATEFUL (also provides unique node address for each node). In STATEFUL mode, the DHCPv6 server has to keep track of information to make sure it never provides the same address to another node (hence it keeps “STATE”).

Yes, basically, autoconfig is a complex process that always starts with SLAAC but can also include DHCPv6 if a server is present. To obtain more than just a link-local address there must be a source of Router Advertisement messages (router or firewall) in your local link. This is usually called a Router Advertisement Daemon. Most dual stack routers and firewalls include those. You will only ever find one of those on a ROUTER (a node with multiple interfaces that does packet forwarding), never on a HOST (a node that does not do forwarding, usually with only one interface).

It is EXTREMELY rare to use anything BUT /64 for a subnet. In some cases it can work, but there are devices out there that will fail if you use anything else. SLAAC will generate 64-bit interface identifiers, so you must have AT LEAST /64 (in theory /60 might work, but I never tried it). /68 would definitely NOT work with SLAAC. Both EUI64 and randomized interface identifiers create 64 bit interface identifiers. I think if you use anything but /64 you pretty much have to assign all addresses manually (possibly DHCPv6 would work, again, haven’t tried it).

There is no reason to use SMALLER than /64 (e.g. /72) because SLAAC won’t work. There is no reason to use LARGER than /64 (e.g. .60) because /64 is already 18 quadrillion addresses, and that’s enough for ANY subnet. So, just always use /64 unless you are doing something REALLY off the wall, and know exactly what you’re doing. You could in theory use a /124 for a link with only two nodes on it (e.g. between external router and a firewall), but it really complicates things and there is no need – there are PLENTY of /64 subnets to go around – 65,536 in every /48. You should STOP thinking in terms of IPv4 scarcity. Start thinking in terms of SIMPLICITY made possible because of the overwhelming number of IPv6 addresses. Much simpler to just say “all subnets are /64, period”. For example, there is no need to recover and reuse an IPv6 address after one has expired. Use once, throw away. Can’t do that with IPv4!

BTW, I forgot to mention one interesting item. Note that the interface identifier in one of the SLAAC generated global unicast addresses, and the one in the link local address are the same. This would be true even if the node generated its interface identifier randomly. In this case they both happen to be generated from the node’s MAC address using EUI-64 algorithm.

My MAC address is 00-22-15-24-32-9C, so EUI64 ii is ::222:15ff:fe24:329c
IPv6 Address. . . . . . . . . . . : 2001:470:3d:3000:222:15ff:fe24:329c(Preferred)
Link-local IPv6 Address . . . . . : fe80::222:15ff:fe24:329c%11(Preferred)

Also note use of the zone identifier (%11) included after the link local address.

Since that address could be used on more than one interface (e.g. wired ethernet and wifi), it is necessary to specify which INTERFACE is involved. In Windows that is typically a numeric value (in this case, 11). In FreeBSD and Linux, it is typically an alphanumeric name, e.g. fxp0 or eth0. The zone identifier is needed after link local addresses in many places, e.g. if you specify the default gateway as a link local address in FreeBSD (in /etc/rc.conf). Usually if you are pinging a link local address you will need to include the correct zone identifier as well. This confuses many people just starting out with IPv6, since without a source of router advertisement messages, your node will only generate a link local address. If you try to ping that from another node (minus the zone identifier) it won’t work. Either provide a source of router advertisement messages, or configure a global unicast address manually, and things will work more easily.

Ni kaj, lepo je razložil in sedaj upam, da razumete kako SLAAC deluje.

Vir: Linked-in IPv6 group

Jan Žorž

Vaš IP naslov (ali ste na IPv6 ?):
3.145.10.68

Comments

  1. April 8th, 2011 | 13:18

    Lepo
    Kaj pa DHCPv6 Client DUID? Zadnji del je očitno MAC, kaj pa sprednji del?

  2. April 9th, 2011 | 12:18

    DUID je hecna zgodba. RFC pravi, da mora biti DUID stabilen, a v realnem življenju ni. Je pa mix MAC naslova, timestampa in pa še nekaterih čisto naključnih podatkov. Morda bi bilo to zabavno opisati v svojem zapisu tu na go6.si.

  3. April 18th, 2011 | 07:05

    Mogoče samo vprašanje glede DHCPv6, in sicer;
    najbrž imam kakšne parametre dhcp6s.conf napačne ampak to najbrž ni by design delovanje. Ob renew-u mi namreč prekine vse tcp povezave preko IPv6?! Dejansko sem opazil pri ssh sejah, ki jih je potrebno ponovno vzpostavit. Jan, kakšna ideja/izkušnje? Hvala.

    lp,
    Marko

  4. April 18th, 2011 | 08:24

    Pomojem gre tu za slabo implementacijo…

  5. April 18th, 2011 | 09:08

    DHCPv6 ali mogoče RADVD? Je pa implementacija na Linux-u…
    radvd-0.9.1-4
    dhcpv6-1.0.10-20.el5

    lp,
    Marko

  6. April 18th, 2011 | 09:42

    radvd nima veze z dhcp-jem, je komplementaren mehanizem.

    Probaj ISC DHCP server, ki s sabo prinese tudi clienta. Ker ne uporabljam DHCP6 nisem tega še testiral, bi me pa zanimali rezultati…

  7. April 18th, 2011 | 16:13

    To je ISC DHCP. Sem našel težavo; dejansko je bil valid-time parameter privzeto premajhen in je postal naslov invalid. Po RFC-ju je 30dni valid in sem nastavil tako ter zaenkrat deluje. Hvala vseeno.

  8. Jeff
    January 12th, 2012 | 15:34

    Nice write up!!

    As a note, on a router that is sending RA’s, you should be able to configure the router to _not_ advertise the network prefix (turn of the “A” flag – autonomous address-configuration flag. When set indicates that this prefix can be used for stateless address configuration), but still have M flag set for DHCPv6 (if desired).

    Then, if you have manual addr or DHCPv6 (local or relay), you will not also have a SLAAC address.

    I have been playing around alot lately with this in the lab, on HP ProCurve, HP Comware (former H3C/3Com), and Cisco 3750.

    hth…Jeff

  9. January 30th, 2012 | 16:40

    Mimogrede, če bo še kdo tole bral, v opisu je škratek. Namesto
    “If both M=0 and O=1, there is no DHCPv6 available, SLAAC complete.”
    bi moralo pisati:
    “If both M=0 and O=0, there is no DHCPv6 available, SLAAC complete.”

Leave a reply

website