IPv6 Implementation beyond theory & How playing with RA messages may be issue-istic

Some of this things I read in books and some of them took me few days of troubleshooting and sweating to get to them so I give them for free here to save you fellow networker some time:

SLAAC

The mighty SLAAC is the prefered method of IPv6 allocation, but is it so mighty? Or it only seems to be mighty and magic? Your computers or mobile phones in order to use SLAAC must be convinced to do so by the router RA message. That message includes the A flag set besides the prefix and all other info. That kind of RA message will tell the device receiving the RA that he needs to make the “A” autoconfiguration on his interface using EUI-64 method.

But that’s not all.

RA messages will need to have also the O flag set. With the O flag end hosts will tell the router that they will use DHCP but only for the “O” other options. In the first place that other option will be DNS server IPv6 address which is not possible to get from router RA messages. Why? I’m sure that’s the most frequent IPv6 question. The fellows who made the RFC 4861 documents didn’t put that option inside RA Router Advertisement Message Format.

I did try to find a reason why not. Maybe the only partially reasonable answer is that DNS is hierarchical system that needs to be centralized inside a network architecture and routers as devices that are running routing processes are distributed system (at least before we see SDN in real life). So the answer will be that is not okay to put allocation of DNS address rule on a system that is not centralized. It means that if you need to change DNS in a network with a lot of routers that are sending RA messages on their local subnets you would need to change the config on all routers one by one. That is the best answer that I did find until now, but this sounds more like excuse that a real reason for this decision. If you put all the info together the answer that fellows from RFC 4861 did actually made the wrong decision is in existence of fairly new RFC 6106 that proposes addition od DNS IPv6 address allocation in RA message.

If you want to use only DHCPv6!

You may think as from previous post on RA flags that setting the M flag in the RA message is all you need to do to be sure that client will use DHCPv6 for IPv6 address allocation. That is only partially true. It is possible that depending on the OS of your computer/phone/something you’ll get first IPv6 address from DHCPv6 but that then the same client will also generate another random IPv6 address and use preferably that random one. It’s not a bug, it’s a feature. This is basic SLAAC privacy extension feature that makes client identity hidden when he moves across different networks.

You can get rid of that SLAAC IPv6 random address only by clearing the A flag. It is also possible to disable SLAAC by removing the prefix configuration on router interface. In this way all the clients on that subnet will be unaware of each others although they are in the same subnet. They will communicate inside the subnet so that all traffic is sent across the router. Clients are using prefix info from RA message and L flag set to realise that they are all on the same subnet. If that info is not available they are thinking that they are alone on the subnet and they send all packets to router.

Send local traffic across the router

If you need some kind of filtering or traffic analyse then the situation from above it’s what you are actually looking for. You can enforce that all local subnet traffic goes across first hop router. Clients on the same IPv6 subnet are learning the same prefix from RA message that router sends them. That RA message has L bit set and that means that router is telling them that they are on the same layer-2 domain. So, to send local traffic across the router and not directly you simply need to clear L flag. The other way is to remove the prefix from router interface config.

DHCPv6 cannot configure Default Gateway

Router RA message is the only way for a client to learn and Configure Default gateway on his NIC because DHCPv6 does not support configuration of that information.

Do not forget!

All this is not the only way for host to get IPv6 addressing info. Each hosts can be configured locally with IPv6 configuration and in that way skip all the info sent from router RA messages.

 

One Response

  1. seymour brown November 19, 2014

Leave a Reply

%d bloggers like this: