SLAAC Presentation
advertisement
7: SLAAC (Stateless Address Autoconfiguration) Rick Graziani Cabrillo College Rick.Graziani@cabrillo.edu For more information please check out my Cisco Press book and video series: IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6 • By Rick Graziani • ISBN-10: 1-58714-313-5 IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6 • By Rick Graziani • ISBN-10: 1-58720-457-6 © 7.1: Introduction to SLAAC and ICMPv6 ND Dynamic IPv6 Address Allocation Global Unicast Manual Dynamic Stateless IPv6 unnumbered Static Stateful SLAAC DHCPv6 SLAAC + DHCPv6 DHCPv6-PD Similar to IPv4 unnumbered Static + EUI 64 • DHCPv6 and SLAAC with DHCPv6 are discussed in Lesson 8. © Dynamic IPv4 Address Allocation I need an IPv4 addressing information from a DHCP server. DHCP Server DHCP Client Here is your IPv4 address, subnet mask, default gateway and DNS server addresses. © ICMPv6 Internet Control Message Protocol for IPv6 • • • • • • Described in RFC 4443 Much more robust than ICMP for IPv4 Contains new functionality and improvements. More than just “messaging” but “how IPv6 conducts business”. Including ICMPv6 Neighbor Discovery (RFC 4861) – used in dynamic address allocation. Note: ICMPv6 is discussed in detail in Lesson 9, ICMPv6 ND in Lesson 10. © “Introducing” ICMPv6 Neighbor Discovery ICMPv6 informational messages used by Neighbor Discovery (RFC 4861): • • Router Solicitation Message Router Advertisement Message • Used for dynamic address allocation. • • Neighbor Solicitation Message Neighbor Advertisement Message • Used with address resolution (IPv4 ARP) and with DAD • Redirect Message (Similar to ICMPv4) Router-Device Messaging Device-Device Messaging © It Begins with the RA Message ICMPv6 Router Advertisement ICMPv6 Router Solicitation Multicast: To all IPv6 devices, let me suggest to you how to do this … • • • Multicast: To all IPv6 routers, I need IPv6 address information DHCPv6 Server I might not even be needed. An ICMPv6 Router Advertisement (RA) suggests to all IPv6 devices on the link how it will receive IPv6 Address Information. Sent periodically by an IPv6 router or… … when the router receives a Router Solicitation message from a host. © It Begins with the RA Message ICMPv6 Router Advertisement Router(config)# ipv6 unicast-routing DHCPv6 Server Router Advertisement (RA) Message • Part of ICMPv6 (Internet Control Message Protocol for IPv6) • RA messages are sent by an “IPv6 router” • An IPv6 router (ipv6 unicast-routing command): • Forwards IPv6 Packets • Enables IPv6 static and dynamic routing • Sends ICMPv6 Router Advertisements • Note: Routers can be configured with IPv6 addresses without being an IPv6 router. © Option 1 and 2: Stateless Address Autoconfiguration Router Advertisement: 3 Options • DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration • Address received from DHCPv6 Server Router(config)# ipv6 unicast-routing DHCPv6 Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) DHCPv6 Server “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA) RA Option 3: All addressing except default gateway use DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” • Options 2 and 3 are discussed in Lesson 8. © RA Message Options ICMPv6 Router Advertisement Option 1, 2, or 3 DHCPv6 Server The type of Router Advertisement option depends on two RA flags: Other Configuration Flag and Managed Configuration Flag • Default: Both flags are set to 0 (Option 1) • Use me (RA) for all your addressing information, no additional information available via DHCPv6. • Other Configuration Flag when set to “1” (Option 2) • Use me (RA) for your address but you need to get OTHER information from a stateless DHCPv6 server. • Managed Configuration Flag when set to “1” (Option 3) • The client needs to get ALL of it’s MANAGED information from a stateful DHCPv6 server, except default gateway. • Note: Two other flags include the autonomous address-configuration flag and on-link flag. (“A” Flag discussed in lesson 8, “L” Flag beyond the scope of this video.) © RA Message Options ICMPv6 Router Advertisement Option 1, 2, or 3 Option Other Configuration (“O”) Flag DHCPv6 Server Managed Configuration (“M”) Flag Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) 0 0 Option 2: SLAAC + Stateless DHCPv6 for DNS address 1 0 Option 3: All addressing except default gateway use DHCPv6 0 1 • Configuring Flags discussed in Lesson 8. © SLAAC: Stateless Address Autoconfiguration Router(config)# ipv6 unicast-routing 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement • Prefix and other information DHCPv6 Server SLAAC (Stateless Address Autoconfiguration) • Allows a device to create its own IPv6 global unicast address without the services of a DHCPv6 server. • Prefix: From the Router Advertisement (RA). • Interface ID: • EUI-64 • Random 64-bit value I know the network prefix from the RA. I just need to come up with my own Interface ID for my GUA! © Ignoring the RA Message? Link-local address ICMPv6 Router Advertisement • • • • DHCPv6 DHCPv6 Server The ICMPv6 Router Advertisement suggests to the host how to get its address automatically. Can a host ignore an ICMPv6 Router Advertisement? Host operating systems can include the option of ignoring the Router Advertisement from the router and only use the stateful services of a DHCPv6 server (or what ever it wants to do). However, hosts can’t ignore the default gateway (source of RA) unless manually configured. © 7.2: Creating the Interface ID: EUI-64 or Random Value Obtaining an IPv6 Address Automatically © SLAAC: Stateless Address Autoconfiguration MAC: 00-19-D2-8C-E0-4C 2001:DB8:CAFE:1::/64 SLAAC Option 1 – RA Message To: 1 2 FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix: 2001:DB8:CAFE:1:: RA Prefix-length: /64 Default Gateway: FE80::1 Prefix-length: /64 Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. DHCPv6 Server Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID 3 EUI-64 Process or Random 64-bit value © SLAAC: Interface ID /64 /48 16-bit Global Routing Prefix Subnet ID Operating System Windows XP, Server 2003 EUI-64 MAC OSX Linux 64-bit Interface ID Random 64-bit ✔ ✔ Windows Vista and newer DHCPv6 Server SLAAC EUI-64 Process Randomly Generated Number (Privacy Extension) ✔ ✔ Default OS behavior can be changed. © Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik SLAAC: EUI-64 Option MAC: 00-19-D2-8C-E0-4C 2001:DB8:CAFE:1::/64 SLAAC Option 1 – RA Message To: 1 2 FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix: 2001:DB8:CAFE:1:: RA Prefix-length: /64 Default Gateway: FE80::1 Prefix-length: /64 Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. DHCPv6 Server Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID 3 EUI-64 Process or Random 64-bit value © Modified EUI-64 Format (Extended Unique Identifier–64) OUI (24 bits) 00 19 Device Identifier (24 bits) D2 8C E0 4C Insert FF-FE 00 19 D2 FF FE 8C E0 4C 00 19 D2 FF FE 8C E0 4C FF FE 8C E0 4C 0000 0000 0010 U/L bit flipped 02 19 D2 © Verifying SLAAC on the PC Using EUI-64 Router Advertisement EUI-64 PC> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: IPv6 Address. . . . . . . . : 2001:db8:cafe:1:0219:d2ff:fe8c:e04c Link-local IPv6 Address . . : fe80::0219:d2ff:fe8c:e04c Default Gateway . . . . . : fe80::1 A 64-bit Interface ID and the EUI-64 process accommodates: • The IEEE specification for a 64-bit MAC address • 64-bit boundary processing © Why. The Dude looking at the red question mark © Copyright jojje11 SLAAC: Random 64-bit Interface ID /64 /48 16-bit Global Routing Prefix Subnet ID Operating System Windows XP, Server 2003 EUI-64 Linux 64-bit Interface ID Random 64-bit ✔ SLAAC EUI-64 Process ✔ Windows Vista and newer MAC OSX DHCPv6 Server Randomly Generated Number (Privacy Extension) ✔ ✔ © Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik Verifying SLAAC on the PC Using Privacy Extension Router Advertisement EUI-64 PC-Windows7> ipconfig Windows IP Configuration No FF-FE Ethernet adapter Local Area Connection: IPv6 Address. . . . . . . . : 2001:db8:cafe:1:50a5:8a35:a5bb:66e1 Link-local IPv6 Address . . : fe80::50a5:8a35:a5bb:66e1 Default Gateway . . . . . : fe80::1 © SLAAC: Including the DNS Server in the RA * Router(config)# ipv6 unicast-routing G0/1 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement • Prefix and other information DNS Server 2001:DB8:CAFE:1::99 Router(config)# ipv6 unicast-routing Router(config)# interface gigabitethernet 0/1 Router(config-if)# ipv6 nd ra dns server 2001:db8:cafe:1::99 600 Configures a DNS server with an IPv6 address of 2001:DB8::CAFE:1::1 to be advertised in an RA with a lifetime of 600 seconds. © Ensuring Unique Unicast Addresses Global Unicast - 2001:db8:cafe:1:0219:d2ff:fe8c:e04c Link-local - fe80::50a5:8a35:a5bb:66e1 Neighbor Solicitation Not received = unique address Received = duplicate address Neighbor Advertisement? • SLAAC is stateless, no entity (DHCPv6 server) maintaining a state addressto-device mappings. • How can we guarantee the address is unique? • Duplicate Address Detection (DAD) • Once required for all unicast addresses (static or dynamic), RFC was updated that DAD is only recommended. • /64 Interface IDs! © 7.3: Configuring a Router as a SLAAC Client Routers versus IPv6 Routers Router(config)# ipv6 unicast-routing 2001:DB8:CAFE:1::1/64 FE80::1 Router • • FF02::1 (All-IPv6 devices) 2001:DB8:CAFE:1::1/64 FE80::1 IPv6 Router A router (not enabled as an IPv6 router): • Configure IPv6 addresses • Member of All-IPv6 devices multicast group An IPv6 router: • Same as a non-IPv6 router • Member of All-IPv6 routers multicast group • Sends ICMPv6 Router Advertisement messages • Can enable IPv6 routing protocols • Forward IPv6 packets (transiting the router) FF02::1 (All-IPv6 devices) FF02::2 (All-IPv6 routers) ICMPv6 Router Advertisement RIPng OSPFv3 EIGRP for IPv6 Forward IPv6 Packets © Configuring the Router as a Client “IPv6 Router” R1 Gig 0/1 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement R1(config)# interface gig 0/1 R1(config-if)# ipv6 address 2001:db8:cafe:1::1/64 R1(config-if)# ipv6 address fe80::1 link-local R1(config-if)# no shutdown R1(config-if)# exit R1(config)# ipv6 unicast-routing Link-local address created Gig 0/1 Client Now I can accept RA messages and get a GUA automatically! Client(config)# interface gig 0/1 Client(config-if)# ipv6 enable ! Not needed Client(config-if)# ipv6 address autoconfig default Client(config-if)# no shutdown © Verifying the RA Message FE80::1 R1 Gig 0/1 ::1 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement Gig 0/1 Client R1# show ipv6 interface gigabitethernet 0/1 Partial output GigabitEthernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::FB FF02::1:FF00:1 ND router advertisements are sent every 200 seconds Hosts use stateless autoconfig for addresses. © Verifying the Client (Router) Is Using SLAAC/EUI-64 2001:DB8:CAFE:1::/64 FE80::1 ICMPv6 Router Advertisement Gig 0/1 ::1 Client# show ipv6 interface brief GigabitEthernet0/1 [up/up] FE80::8A5A:92FF:FE3B:29E1 2001:DB8:CAFE:1:8A5A:92FF:FE3B:29E1 <Rest of output omitted> R1 Gig 0/1 EUI-64 Client Client# show interface gigabitethernet 0/1 GigabitEthernet0/1 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is 885a.923b.29e1 (bia 885a.923b.29e1) <Rest of output omitted> © Router versus “IPv6 Router” FE80::1 R1 Gig 0/1 ::1 2001:DB8:CAFE:1::/64 ICMPv6 Router Advertisement Gig 0/1 Client Client# show ipv6 route Partial output IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ND ::/0 [2/0] Default route learned via Neighbor via FE80::1, GigabitEthernet0/1 Discovery (SLAAC) NDp 2001:DB8:CAFE:1::/64 [2/0] Prefix learned via Neighbor via GigabitEthernet0/1, directly connected Discovery (SLAAC) <Rest of output omitted> © 7.4: IPv6 Enabled Clients and Your Network You Are Probably Already Running IPv6 IPv4 IPv6 RS IPv4 IPv6 R1 Here is an IPv6 prefix and gateway Rogue RA IPv4 IPv6 I need an IPv6 prefix • • • • Windows Vista or later, Mac OSX, Linux already running IPv6 Potential DoS or MITM attack, even if the router is not IPv6 enabled. Even if the router is not IPv6 enabled, your clients are mostly like are! I can still do a DoS attack on clients or perhaps even still to a MITM attack. • There are mitigation techniques such as RA Guard. People Icon: Occupations set 5 © Copyright Fredy Sujono © SLAAC with DHCPv6 Global Unicast Manual Dynamic Stateless Static IPv6 unnumbered Stateful SLAAC DHCPv6 SLAAC + DHCPv6 DHCPv6-PD Similar to IPv4 unnumbered Static + EUI 64 Lesson 8 © For more information please check out my Cisco Press book and video series: IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6 • By Rick Graziani • ISBN-10: 1-58714-313-5 IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6 • By Rick Graziani • ISBN-10: 1-58720-457-6 © 7: SLAAC (Stateless Address Autoconfiguration) Rick Graziani Cabrillo College Rick.Graziani@cabrillo.edu
