IPv6 configuration
This page describes how we perform IPv6 configuration. Please see also the accompanying page about IPv6 deployment at the departmental level at the departmental (local network) level.
IPv6 information
Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP), the communications protocol that routes traffic across the Internet.
General books about IPv6 can be searched at Amazon.
Internet pages discussing IPv6:
Why is IPv6 Important? (Microsoft)
IPv6 Link-local address
IPv6 addressing
An IPv6 address consists of exactly 8 quartets (i.e., 4 hexadecimal digits) separated by : characters. The notation :: signifies one or more quartets containing zeroes (can be used only once in an address). Read more about IPv6_addressing.
Usually a /64 (64 bits out of 128) subnet is allocated to the departmental level, for example:
2001:0878:0200::/48 (university level)
2001:0878:0200:xxxx::/64 (department level)
Router Advertisements
In order for IPv6 to function, Router_Advertisement (RA) is required by our routers to advertise to hosts on our local network basic information about the IPv6 network prefix and the default gateway address. RAs are part of the Neighbor Discovery Protocol [NDP][RFC4861]:
RA: used by routers to advertise their presence together with various link and Internet parameters.
The Neighbor Discovery protocol [RFC4861] describes the operation of IPv6 Router Advertisements (RAs) that are used to determine node configuration information during the IPv6 autoconfiguration process, whether that node’s configuration is stateful, via the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) [RFC3315] or stateless, as per [RFC4862], possibly in combination with DHCPv6 Light [RFC3736].
There is a good description of IPv6 Neighbor Discovery.
There may be possible security/functionality issues with RAs, see Rogue IPv6 Router Advertisement Problem Statement [RFC6104].
There is an IETF effort under way to add route information to DHCPv6, see DHCPv6 Route Options draft-ietf-mif-dhcpv6-route-option-05, but there is currently (2013) no such standard.
To monitor the network for RAs from a Linux host use this command:
tcpdump icmp6 | grep advertise
To capture RA packets on the net using Wireshark, start the Capture process, then enter the following Filter for this type of packet:
icmpv6.nd.ra.flag
To install Wireshark on RPM-based Linux distributions:
yum install wireshark-gnome
(or possibly wireshark-gtk+
).
On Linux hosts you can display the IPv6 routing information by either of these commands:
/sbin/ip -6 route show [dev <device>]
/sbin/route -A inet6
Router Advertisement flags
NDP Router_Advertisement messages contains several one-bit flags, see IPv6 Router Advertisement Flags Option RFC5175 (section 3). Of particular relevance are:
M - Managed Address Configuration Flag [RFC4861] implies the use of DHCPv6.
O - Other Configuration Flag [RFC4861] implies that Other configuration information such as DNS should be obtained by DHCPv6. If the M flag is set, the O flag is redundant and can be ignored because DHCPv6 will return all available configuration information.
RA messages may include prefix information. Each prefix has L and A flags:
L – On-Link Flag. The prefix can be used for on-link determination (other IPv6 addresses with the same prefix are on the same L2 subnet).
A – Autonomous Address Configuration Flag. The prefix can be used for stateless address configuration (SLAAC), see RFC4862.
R – Router Address flag. When set, indicates that the Prefix field contains a complete IP address assigned to the sending router, see RFC6275.
For further details see IPv6 Router_Advertisements_Deep_Dive and Managed-Config-Flag_is_just_a_hint (contains Cisco IOS config information).
IPv4-mapped IPv6 addresses
Hybrid dual-stack IPv6/IPv4 implementations recognize a special class of addresses, the IPv4-mapped IPv6 addresses. In these addresses, the first 80 bits are zero, the next 16 bits are one, and the remaining 32 bits are the IPv4 address. One may see these addresses with the first 96 bits written in the standard IPv6 format, and the remaining 32 bits written in the customary dot-decimal notation of IPv4.
For example, ::ffff:192.0.2.128 represents the IPv4 address 192.0.2.128.
See http://en.wikipedia.org/wiki/Ipv6#IPv4-mapped_IPv6_addresses
DTU IPv6 network
The Danish DeIC/Forskningsnettet has a page about its DeIC IPv6 network.
The central DTU backbone as well as DTU Wireless networks already implement IPv6. DTU’s IPv6 network is:
2001:0878:0200::/48 DTU
IPv6 on Windows
See IPv6 for Microsoft Windows: Frequently Asked Questions.
What versions of Windows provide support for IPv6?:
Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 provide an IPv6 protocol stack and system-side IPv6 support for built-in applications and system services. The IPv6 protocol stack in these versions of Windows is an integrated IPv4 and IPv6 implementation known as the Next Generation TCP/IP stack. For more information, see Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008.
Microsoft also provides a supported IPv6 protocol stack for Windows Server 2003, Windows XP with Service Pack 1 (SP1) or later, and Windows CE .NET 4.1 or later. However, these operating systems have very limited IPv6 support for built-in applications and system services and are not recommended for an IPv6 deployment.
Disabling IPv6 on Windows
See How to disable IP version 6 or its specific components in Windows. This page has Fix it Solutions to enable or to disable IPv6 or to selectively enable or disable components of IPv6 automatically.
IPv6 on Raspberry Pi Raspbian “wheezy”
The Raspberry_pi device with Raspbian “wheezy” doesn’t enable IPv6 by default, but there is a well-known procedure at http://www.raspberrypi.org/phpBB3/viewtopic.php?f=66&t=15886.
Add the text ipv6
to /etc/modules
, then reboot the computer.
Loading ipv6 consumes 300K of RAM.
Only the Link Local IPv6 address will become enabled.
Configuring DHCPv6 client
The Raspbian “wheezy” IPv6 network interface does unfortunately not include a DHCPv6 client for dynamically managed addresses. A working method for Debian Linux is described in http://www.rjsystems.nl/en/2100-dhcpv6-stateful-autocfg.php
This will install the package wide-dhcpv6-client, and furthermore some configuration files need to be edited. There is a WIDE_DHCPv6 homepage.
IPv6 on RHEL5/CentOS5
To enable IPv6 on RHEL5/CentOS5 see:
You have to add to /etc/sysconfig/network
:
NETWORKING_IPV6=yes
and configure the eth0 (say) interface file /etc/sysconfig/network-scripts/ifcfg-eth0
for some manual addresses (xxx):
IPV6INIT=yes
IPV6ADDR=xxx
IPV6_DEFAULTGW=xxx
The IPv6 configuration parameters are listed in /etc/sysconfig/network-scripts/ifup-ipv6
:
# Uses following information from "/etc/sysconfig/network":
# NETWORKING_IPV6=yes|no: controls IPv6 initialization (global setting)
# IPV6_DEFAULTDEV=<device>: controls default route (optional)
# IPV6_DEFAULTGW=<address>: controls default route (optional)
#
# Uses following information from "/etc/sysconfig/network-scripts/ifcfg-$1":
# IPV6INIT=yes|no: controls IPv6 configuration for this interface
# IPV6ADDR=<IPv6 address>[/<prefix length>]: specify primary static IPv6 address
# IPV6ADDR_SECONDARIES="<IPv6 address>[/<prefix length>] ..." (optional)
# IPV6_ROUTER=yes|no: controls IPv6 autoconfiguration (no: multi-homed interface without routing)
# IPV6_AUTOCONF=yes|no: controls IPv6 autoconfiguration
# defaults:
# IPV6FORWARDING=yes: IPV6_AUTOCONF=no, IPV6_ROUTER=yes
# IPV6FORWARDING=no: IPV6_AUTOCONF=yes
# IPV6_MTU=<MTU for IPv6>: controls IPv6 MTU for this link (optional)
# IPV6_PRIVACY="rfc3041": control IPv6 privacy (optional)
# This script only supports "rfc3041" (if kernel supports it)
DHCPv6 client on RHEL5/CentOS5
To be written.
DHCPv6 service
DHCPv6 is a network protocol that is used for configuring IPv6 hosts with IP addresses, IP prefixes and/or other configuration required to operate on an IPv6 network.
DHCPv6 uses UDP port number 546 for clients and port number 547 for servers.
It is required to run a DHCPv6 server on the local subnet, even if client addresses are auto-configured. At a minimum, addresses of IPv6 DNS recursive resolver servers must be provided to clients by the DHCPv6 server.
DHCPv6 address assignment
The host IPv6 address and DNS information may be assigned by Router Advertisements and/or a DHCPv6 server. How this happens on various host operating systems is really confusing as discussed in this paper:
There are some other interesting papers:
Probably the correct (or optimal) DHCPv6 address assignment method must be combined with the following Router Advertisements configuration:
M flag is on.
O flag is on.
A flag is on.
L flag is on.
No prefix advertisement.
However, client OSes such as Android may not behave correctly when managed by DHCPv6, see the above paper.
For example, for a Cisco router’s subnet xx:yy:zz:ww::/64 the configuration of RA flags may be:
ipv6 nd prefix xx:yy:zz:ww::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd router-preference High
In the ipv6 nd prefix
command the A and L flags are on (=1) by default (can be changed by the no-autoconfig and no-onlink flags).
See this Cisco IOS IPv6 Command Reference.
DHCPv6 documentation
A good general discussion is DHCPv6 – an introduction to the new host configuration protocol.
DHCPv6 – a presentation by John Jason Brzozowski - very detailed.
xCat_DHCPv6_management (discusses usage of DUID and UUID)
IPv6 - Auto Configuration vs DHCPv6 (IPv6.com Tech Spotlight).
IPv6 Router Advertisement Flags, RDNSS and DHCPv6 Conflicting Configurations.
I Don’t Have Any Neighbors – A Deep Dive into DHCPv6, Part 1 and Router Advertisement Options to the Rescue – A Deep Dive into DHCPv6, Part 2.
Defining documents are in the IETF RFCs:
For multiple subnets or VLANs there unfortunately doesn’t exist any DHCPv6 relay agent similarly to the DHCPv4 relay agent (RFC2131) case. However, there exists an IETF draft Client Link-layer Address Option in DHCPv6 which attempts to create a future standard for DHCPv6 relay agent.
DHCPv6 server software
There are several implementations of DHCPv6 servers:
The ISC_DHCP software (see ISC_DHCP_documentation) is the most widely used open source DHCP implementation on the Internet.
The dhcpy6d open source server for DHCPv6. Can use MAC-addresses for client identification.
The Dibbler portable DHCPv6 implementation.
Discussions about the Microsoft_DHCPv6 server:
DHCPv6 Unique IDentifier (DUID)
The DHCP Unique Identifier (DUID) is defined by RFC3315 (section 9). It is used by a DHCPv6 servers and clients as part of the IPv6 address assignment process.
You can no longer simply use the MAC address of an interface to assign a fixed IP address via DHCPv6. However, you can use MAC-addresses as client identifiers if you deploy the dhcpy6d open source server for DHCPv6. Please read the sections on dhcpy6d below.
RFC3315 (section 11) lists the client information which may be used, the DUID being one of them. Unlike DHCPv4, in which the MAC address of the client interface is included in a DHCP request, DHCPv6 may use a DHCP Unique Identifier, or DUID, to uniquely identify the client. The same DUID is used by the system regardless of which interface a DHCPv6 message originates from.
DUID on Windows 7
Windows 7 can display its DHCPv6 DUID in a command window:
ipconfig /all
...
Ethernet adapter Local Area Connection:
...
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-C1-BA-6E-08-00-27-30-C3-B8
DUID on Fedora Linux
Recent Fedora versions use NetworkManager for network interface management. The DUID will be generated by NetworkManager and stored as a line in some DHCP lease file in one of these files:
/var/lib/dhclient/dhclient6.leases
/var/lib/NetworkManager/dhclient6-*.lease
For example (please note that the ISC dhclient6 stores the DUID value in a binary representation):
default-duid "\000\001\000\001\031\012D\036<\331+m3\004";
From NetworkManager 0.9.7.997 Released with Minor Fixed (Fedora 18 and onwards)
the DHCPv6 DUID will be generated using the machine identifier file /etc/machine-id
as input, in stead of the dhclient DHCPv6 client daemon.
UUID-Based DHCPv6 Unique Identifier (DUID-UUID)
If a long-term stable hardware identifier is required, the DUID could be configured using the UUID-Based DHCPv6 Unique Identifier (DUID-UUID) which has been assigned DUID Type 4 by RFC6355:
This document defines a new DHCPv6 Unique Identifier (DUID) type called DUID-UUID.
DUID-UUIDs are derived from the already-standardized Universally Unique IDentifier (UUID) format.
DUID-UUID makes it possible for devices to use UUIDs to identify themselves to DHC servers and vice versa.
UUIDs are globally unique and readily available on many systems, making them convenient identifiers to leverage within DHCP.
Thus the system’s RFC6355 DUID-UUID value must have a 2-byte value of 4 (i.e., 0004
) followed by the 32-byte (128-bit) hardware UUID:
0004<UUID>
The system’s UUID can be found by these commands:
Linux |
|
RHEL, Fedora |
|
Windows |
|
ESXi |
|
The DHCPv6 DUID based upon the UUID may be configured as in the examples in xCat_DHCPv6_management.
Intel’s Ethernet PXE booting uses a GUID (a synonym for UUID) which might be useful for network booting. The PXE GUID/UUID is defined in Intel’s PXE_specification document, and its hexadecimal value is usually displayed next to the Ethernet MAC address on a PC’s PXE network boot screen, for example:
For the hardware GUID in this figure (823126F9-549F-4981-BEEE-00B13FD535F9) the RFC6355 DUID-UUID would become in hexadecimal representation:
0004823126F9549F4981BEEE00B13FD535F9
PXE-booting and GUID/UUID
The PXElinux page explains how the BIOS PXE booting uses TFTP to download configuration files. The first file name being tried is the value of the GUID/UUID, so that PXE boot actions can be configured based upon this value.
Firewall rules for the DHCPv6 server
In order for the server to receive DHCPv6 requests from the network, the iptables firewall must allow UDP port 547:
RHEL7/CentOS7: Using firewalld open the dhcpv6 service port 547/udp:
firewall-cmd --zone=public --add-service=dhcpv6 --permanent firewall-cmd --reload
List the opened services, for example:
# firewall-cmd --list-services dhcpv6-client dhcpv6 ssh
For further information see http://www.firewalld.org/documentation/howto/open-a-port-or-service.html
From a remote host you can port-scan the server’s port 547/udp with nmap:
nmap -O -6 -p 547 -sU <server>
dhcpy6d DHCPv6 server
dhcpy6d is an open source server for DHCPv6, the DHCP protocol for IPv6. Its development is driven by the need to be able to use the existing IPv4 infrastructure in coexistence with IPv6. In a dualstack scenario, the existing DHCPv4 most probably uses MAC addresses of clients to identify them. This is not intended by RFC3315 for DHCPv6, but also not forbidden. dhcpy6d is able to do so in local network segments and therefore offers a pragmatical method for parallel use of DHCPv4 and DHCPv6, because existing client management solutions could be used further.
Installation on RHEL7/CentOS7
Install DNS and database support:
yum install python-dns sqlite MySQL-python
Download the latest dhcpy6d-XXX.el7.centos.noarch.rpm el7 RPM package from http://dhcpy6d.ifw-dresden.de/download/ and install it:
yum install dhcpy6d-*.el7.centos.noarch.rpm
Configuring dhcpy6d
Please consult the dhcpy6d_configuration page.
The configuration file is /etc/dhcpy6d.conf
.
We have chosen a simple text file /etc/dhcpy6d-clients.conf
for client definitions and a simple SQLite database for the DHCP leases.
Starting the dhcpy6d service
When you have completed the dhcpy6d_configuration, add the dhcpy6d service:
RHEL7/CentOS7:
systemctl enable dhcpy6d systemctl start dhcpy6d
When it’s completely tested, make sure dhcpy6d starts at boot time:
chkconfig dhcpy6d on
Leases database in dhcpy6d
The dhcpy6d leases database is described in dhcpy6d_configuration.
If using an SQLite database, its contents can be dumped to stdout by:
sqlite3 /var/lib/dhcpy6d/volatile.sqlite .dump
so that you can view the DHCP leases in the database. SQLite commands are described in Command Line Shell For SQLite.
Managing DHCPv6 clients with the ISC DHCPv6 server
In many organizations the ability to identify client computers on the network will be required for IT security reasons.
Therefore we want to restrict our DHCP servers so that they grant addresses only to registered and authorized client computers.
In the ISC_DHCP server this is done in the configuration file (see man dhcpd.conf
) by:
deny unknown-clients;
Linux DHCP clients and /etc/resolv.conf
On UNIX and Linux hosts, the DHCPv6 client instance has to run as a separate process from the DHCPv4 one, and the two processes race each other to update the /etc/resolv.conf file. The NetworkManager should handle this correctly (testing needed).