IPv6 configuration

This page describes how we perform IPv6 configuration. Please see also the accompanying page about IPv6_deployment at the departmental (local network) level.

IPv6 information

Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP), the communications protocol that routes traffic across the Internet.

General books about IPv6 can be searched at Amazon.

Internet pages discussing IPv6:

IPv6 addressing

An IPv6 address consists of exactly 8 quartets (i.e., 4 hexadecimal digits) separated by : characters. The notation :: signifies one or more quartets containing zeroes (can be used only once in an address). Read more about IPv6_addressing.

Usually a /64 (64 bits out of 128) subnet is allocated to the departmental level, for example:

2001:0878:0200::/48       (university level)
2001:0878:0200:xxxx::/64  (department level)

Router Advertisements

In order for IPv6 to function, Router_Advertisement (RA) is required by our routers to advertise to hosts on our local network basic information about the IPv6 network prefix and the default gateway address. RAs are part of the Neighbor Discovery Protocol [NDP][RFC4861]:

  • RA: used by routers to advertise their presence together with various link and Internet parameters.
  • The Neighbor Discovery protocol [RFC4861] describes the operation of IPv6 Router Advertisements (RAs) that are used to determine node configuration information during the IPv6 autoconfiguration process, whether that node's configuration is stateful, via the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) [RFC3315] or stateless, as per [RFC4862], possibly in combination with DHCPv6 Light [RFC3736].

There is a good description of IPv6 Neighbor Discovery.

There may be possible security/functionality issues with RAs, see Rogue IPv6 Router Advertisement Problem Statement [RFC6104].

There is an IETF effort under way to add route information to DHCPv6, see DHCPv6 Route Options draft-ietf-mif-dhcpv6-route-option-05, but there is currently (2013) no such standard.

To monitor the network for RAs from a Linux host use this command:

tcpdump icmp6 | grep advertise

To capture RA packets on the net using Wireshark, start the Capture process, then enter the following Filter for this type of packet:

icmpv6.nd.ra.flag

To install Wireshark on RPM-based Linux distributions:

yum install wireshark-gnome

(or possibly wireshark-gtk+).

On Linux hosts you can display the IPv6 routing information by either of these commands:

/sbin/ip -6 route show [dev <device>]
/sbin/route -A inet6
Router Advertisement flags

NDP Router_Advertisement messages contains several one-bit flags, see IPv6 Router Advertisement Flags Option RFC5175 (section 3). Of particular relevance are:

  • M - Managed Address Configuration Flag [RFC4861] implies the use of DHCPv6.
  • O - Other Configuration Flag [RFC4861] implies that Other configuration information such as DNS should be obtained by DHCPv6. If the M flag is set, the O flag is redundant and can be ignored because DHCPv6 will return all available configuration information.

RA messages may include prefix information. Each prefix has L and A flags:

  • L – On-Link Flag. The prefix can be used for on-link determination (other IPv6 addresses with the same prefix are on the same L2 subnet).
  • A – Autonomous Address Configuration Flag. The prefix can be used for stateless address configuration (SLAAC), see RFC4862.
  • R – Router Address flag. When set, indicates that the Prefix field contains a complete IP address assigned to the sending router, see RFC6275.

For further details see IPv6 Router_Advertisements_Deep_Dive and Managed-Config-Flag_is_just_a_hint (contains Cisco IOS config information).

IPv4-mapped IPv6 addresses

Hybrid dual-stack IPv6/IPv4 implementations recognize a special class of addresses, the IPv4-mapped IPv6 addresses. In these addresses, the first 80 bits are zero, the next 16 bits are one, and the remaining 32 bits are the IPv4 address. One may see these addresses with the first 96 bits written in the standard IPv6 format, and the remaining 32 bits written in the customary dot-decimal notation of IPv4.

For example, ::ffff:192.0.2.128 represents the IPv4 address 192.0.2.128.

See http://en.wikipedia.org/wiki/Ipv6#IPv4-mapped_IPv6_addresses

DTU IPv6 network

The Danish DeIC/Forskningsnettet has a page about its DeIC IPv6 network.

The central DTU backbone as well as DTU Wireless networks already implement IPv6. DTU's IPv6 network is:

2001:0878:0200::/48 DTU

see Allocated IPv6 addresses within DeIC.

IPv6 on RHEL6/CentOS6

RHEL6/CentOS6 by default includes the ISC_DHCP software's dhclient (see man dhclient) for both IPv4 and IPv6.

To enable IPv6 on RHEL6/CentOS6 start the NetworkManager tool:

nm-connection-editor &

Select the Wired connection and click Edit on the eth0 device (or other network device). Then click on the IPv6 settings tab to configure addresses (documentation in the RHEL6 manual 8.3.9.5. Configuring IPv6 Settings).

Configure the IPv6 settings Method (default is Ignore):

  • Automatic

DHCPv6 client on RHEL6/CentOS6

The NetworkManager will store DHCP client data in one of these directories:

/var/lib/dhclient/
/var/lib/NetworkManager/

The ip6tables firewall is unfortunately not configured for DHCPv6 clients. Add the following firewall rule to /etc/sysconfig/ip6tables in order to receive responses from the DHCPv6 server:

# DHCPv6 responses
-A INPUT -p udp --dport 546 -j ACCEPT

and do service ip6tables restart.

Strangely, you may have to "prime" the NetworkManager's IPv6 Method to get a correct address from DHCPv6:

  • In NetworkManager change Method to Automatic, DHCP only.

  • In NetworkManager change Method back to Automatic.

  • Restart services:

    service NetworkManager restart
    service network restart

Unfortunately, this workaround must be repeated every time the client is rebooted.

This workaround may apparently also be required on Ubunto 11.10.

Due to this buggy behavior of NetworkManager it should be considered not to use DHCPv6 on RHEL6/CentOS6, and use manually configured IPv6 addresses in stead.

IPv6 on Windows

See IPv6 for Microsoft Windows: Frequently Asked Questions.

What versions of Windows provide support for IPv6?:

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 provide an IPv6 protocol stack and system-side IPv6 support for built-in applications and system services. The IPv6 protocol stack in these versions of Windows is an integrated IPv4 and IPv6 implementation known as the Next Generation TCP/IP stack. For more information, see Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008.

Microsoft also provides a supported IPv6 protocol stack for Windows Server 2003, Windows XP with Service Pack 1 (SP1) or later, and Windows CE .NET 4.1 or later. However, these operating systems have very limited IPv6 support for built-in applications and system services and are not recommended for an IPv6 deployment.

Disabling IPv6 on Windows

See How to disable IP version 6 or its specific components in Windows. This page has Fix it Solutions to enable or to disable IPv6 or to selectively enable or disable components of IPv6 automatically.

IPv6 on Raspberry Pi Raspbian "wheezy"

The Raspberry_pi device with Raspbian "wheezy" doesn't enable IPv6 by default, but there is a well-known procedure at http://www.raspberrypi.org/phpBB3/viewtopic.php?f=66&t=15886.

Add the text ipv6 to /etc/modules, then reboot the computer. Loading ipv6 consumes 300K of RAM. Only the Link Local IPv6 address will become enabled.

Configuring DHCPv6 client

The Raspbian "wheezy" IPv6 network interface does unfortunately not include a DHCPv6 client for dynamically managed addresses. A working method for Debian Linux is described in http://www.rjsystems.nl/en/2100-dhcpv6-stateful-autocfg.php

This will install the package wide-dhcpv6-client, and furthermore some configuration files need to be edited. There is a WIDE_DHCPv6 homepage.

IPv6 on RHEL5/CentOS5

To enable IPv6 on RHEL5/CentOS5 see:

You have to add to /etc/sysconfig/network:

NETWORKING_IPV6=yes

and configure the eth0 (say) interface file /etc/sysconfig/network-scripts/ifcfg-eth0 for some manual addresses (xxx):

IPV6INIT=yes
IPV6ADDR=xxx
IPV6_DEFAULTGW=xxx

The IPv6 configuration parameters are listed in /etc/sysconfig/network-scripts/ifup-ipv6:

# Uses following information from "/etc/sysconfig/network":
#  NETWORKING_IPV6=yes|no: controls IPv6 initialization (global setting)
#  IPV6_DEFAULTDEV=<device>: controls default route (optional)
#  IPV6_DEFAULTGW=<address>: controls default route (optional)
#
# Uses following information from "/etc/sysconfig/network-scripts/ifcfg-$1":
#  IPV6INIT=yes|no: controls IPv6 configuration for this interface
#  IPV6ADDR=<IPv6 address>[/<prefix length>]: specify primary static IPv6 address
#  IPV6ADDR_SECONDARIES="<IPv6 address>[/<prefix length>] ..." (optional)
#  IPV6_ROUTER=yes|no: controls IPv6 autoconfiguration (no: multi-homed interface without routing)
#  IPV6_AUTOCONF=yes|no: controls IPv6 autoconfiguration
#   defaults:
#    IPV6FORWARDING=yes: IPV6_AUTOCONF=no, IPV6_ROUTER=yes
#    IPV6FORWARDING=no: IPV6_AUTOCONF=yes
#  IPV6_MTU=<MTU for IPv6>: controls IPv6 MTU for this link (optional)
#  IPV6_PRIVACY="rfc3041": control IPv6 privacy (optional)
#    This script only supports "rfc3041" (if kernel supports it)

DHCPv6 service

DHCPv6 is a network protocol that is used for configuring IPv6 hosts with IP addresses, IP prefixes and/or other configuration required to operate on an IPv6 network.

DHCPv6 uses UDP port number 546 for clients and port number 547 for servers.

It is required to run a DHCPv6 server on the local subnet, even if client addresses are auto-configured. At a minimum, addresses of IPv6 DNS recursive resolver servers must be provided to clients by the DHCPv6 server.

DHCPv6 address assignment

The host IPv6 address and DNS information may be assigned by Router Advertisements and/or a DHCPv6 server. How this happens on various host operating systems is really confusing as discussed in this paper:

There are some other interesting papers:

Probably the correct (or optimal) DHCPv6 address assignment method must be combined with the following Router Advertisements configuration:

  • M flag is on.
  • O flag is on.
  • A flag is on.
  • L flag is on.
  • No prefix advertisement.

However, client OSes such as Android may not behave correctly when managed by DHCPv6, see the above paper.

For example, for a Cisco router's subnet xx:yy:zz:ww::/64 the configuration of RA flags may be:

ipv6 nd prefix xx:yy:zz:ww::/64 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd router-preference High

In the ipv6 nd prefix command the A and L flags are on (=1) by default (can be changed by the no-autoconfig and no-onlink flags). See this Cisco IOS IPv6 Command Reference.

DHCPv6 documentation

Defining documents are in the IETF RFCs:

  • RFC3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
  • RFC4361: Using DUIDs in DHCP for IPv4
  • RFC6355: Definition of the UUID-Based DHCPv6 Unique Identifier (DUID-UUID)
  • RFC6939: Client Link-Layer Address Option in DHCPv6 (defining a new DHCPv6 option in 2013).

For multiple subnets or VLANs there unfortunately doesn't exist any DHCPv6 relay agent similarly to the DHCPv4 relay agent (RFC2131) case. However, there exists an IETF draft Client Link-layer Address Option in DHCPv6 which attempts to create a future standard for DHCPv6 relay agent.

DHCPv6 server software

There are several implementations of DHCPv6 servers:

DHCPv6 Unique IDentifier (DUID)

The DHCP Unique Identifier (DUID) is defined by RFC3315 (section 9). It is used by a DHCPv6 servers and clients as part of the IPv6 address assignment process.

You can no longer simply use the MAC address of an interface to assign a fixed IP address via DHCPv6. However, you can use MAC-addresses as client identifiers if you deploy the dhcpy6d open source server for DHCPv6. Please read the sections on dhcpy6d below.

RFC3315 (section 11) lists the client information which may be used, the DUID being one of them. Unlike DHCPv4, in which the MAC address of the client interface is included in a DHCP request, DHCPv6 may use a DHCP Unique Identifier, or DUID, to uniquely identify the client. The same DUID is used by the system regardless of which interface a DHCPv6 message originates from.

DUID on Windows 7

Windows 7 can display its DHCPv6 DUID in a command window:

ipconfig /all
...
Ethernet adapter Local Area Connection:
...
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-C1-BA-6E-08-00-27-30-C3-B8
DUID on Fedora Linux

Recent Fedora versions use NetworkManager for network interface management. The DUID will be generated by NetworkManager and stored as a line in some DHCP lease file in one of these files:

/var/lib/dhclient/dhclient6.leases
/var/lib/NetworkManager/dhclient6-*.lease

For example (please note that the ISC dhclient6 stores the DUID value in a binary representation):

default-duid "\000\001\000\001\031\012D\036<\331+m3\004";

From NetworkManager 0.9.7.997 Released with Minor Fixed (Fedora 18 and onwards) the DHCPv6 DUID will be generated using the machine identifier file /etc/machine-id as input, in stead of the dhclient DHCPv6 client daemon.

UUID-Based DHCPv6 Unique Identifier (DUID-UUID)

If a long-term stable hardware identifier is required, the DUID could be configured using the UUID-Based DHCPv6 Unique Identifier (DUID-UUID) which has been assigned DUID Type 4 by RFC6355:

This document defines a new DHCPv6 Unique Identifier (DUID) type called DUID-UUID.
DUID-UUIDs are derived from the already-standardized Universally Unique IDentifier (UUID) format.
DUID-UUID makes it possible for devices to use UUIDs to identify themselves to DHC servers and vice versa.
UUIDs are globally unique and readily available on many systems, making them convenient identifiers to leverage within DHCP.

Thus the system's RFC6355 DUID-UUID value must have a 2-byte value of 4 (i.e., 0004) followed by the 32-byte (128-bit) hardware UUID:

0004<UUID>

The system's UUID can be found by these commands:

Linux dmidecode | grep UUID
RHEL6, Fedora cat /sys/devices/virtual/dmi/id/product_uuid
Windows WMIC CSPRODUCT
ESXi vsish -e get /hardware/machineUUID

The DHCPv6 DUID based upon the UUID may be configured as in the examples in xCat_DHCPv6_management.

Intel's Ethernet PXE booting uses a GUID (a synonym for UUID) which might be useful for network booting. The PXE GUID/UUID is defined in Intel's PXE_specification document, and its hexadecimal value is usually displayed next to the Ethernet MAC address on a PC's PXE network boot screen, for example:

PXE.png

For the hardware GUID in this figure (823126F9-549F-4981-BEEE-00B13FD535F9) the RFC6355 DUID-UUID would become in hexadecimal representation:

0004823126F9549F4981BEEE00B13FD535F9
PXE-booting and GUID/UUID

The PXElinux page explains how the BIOS PXE booting uses TFTP to download configuration files. The first file name being tried is the value of the GUID/UUID, so that PXE boot actions can be configured based upon this value.

Firewall rules for the DHCPv6 server

In order for the server to receive DHCPv6 requests from the network, the iptables firewall must allow UDP port 547:

  • RHEL7/CentOS7: Using firewalld open the dhcpv6 service port 547/udp:

    firewall-cmd --zone=public --add-service=dhcpv6 --permanent
    firewall-cmd --reload

    List the opened services, for example:

    # firewall-cmd --list-services
    dhcpv6-client dhcpv6 ssh

    For further information see http://www.firewalld.org/documentation/howto/open-a-port-or-service.html

  • RHEL6/CentOS6: Edit /etc/sysconfig/ip6tables to add:

    # Allow DHCPv6 server
    -A INPUT -m state --state NEW -m udp -p udp --dport 547 -j ACCEPT

    and restart the service:

    service ip6tables restart

From a remote host you can port-scan the server's port 547/udp with nmap:

nmap -O -6 -p 547 -sU <server>

dhcpy6d DHCPv6 server

dhcpy6d is an open source server for DHCPv6, the DHCP protocol for IPv6. Its development is driven by the need to be able to use the existing IPv4 infrastructure in coexistence with IPv6. In a dualstack scenario, the existing DHCPv4 most probably uses MAC addresses of clients to identify them. This is not intended by RFC3315 for DHCPv6, but also not forbidden. dhcpy6d is able to do so in local network segments and therefore offers a pragmatical method for parallel use of DHCPv4 and DHCPv6, because existing client management solutions could be used further.

Installation on RHEL7/CentOS7

  • Install DNS and database support:

    yum install python-dns sqlite MySQL-python
  • Download the latest dhcpy6d-XXX.el7.centos.noarch.rpm el7 RPM package from http://dhcpy6d.ifw-dresden.de/download/ and install it:

    yum install dhcpy6d-*.el7.centos.noarch.rpm

Installation on RHEL6/CentOS6

  • Locate the dnspython version appropriate for your Linux version, For example, you can install the RPMForge repository and install dnspython from there:

    yum install http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
    yum upgrade rpmforge-release   # Just in case there is a newer version
    yum install python-dns

Configuring dhcpy6d

Please consult the dhcpy6d_configuration page. The configuration file is /etc/dhcpy6d.conf. We have chosen a simple text file /etc/dhcpy6d-clients.conf for client definitions and a simple SQLite database for the DHCP leases.

Starting the dhcpy6d service

When you have completed the dhcpy6d_configuration, add the dhcpy6d service:

  • RHEL7/CentOS7:

    systemctl enable dhcpy6d
    systemctl start dhcpy6d
  • RHEL6/CentOS6:

    chkconfig --add dhcpy6d
    service dhcpy6d start

    When it's completely tested, make sure dhcpy6d starts at boot time:

    chkconfig dhcpy6d on

Leases database in dhcpy6d

The dhcpy6d leases database is described in dhcpy6d_configuration.

If using an SQLite database, its contents can be dumped to stdout by:

sqlite3 /var/lib/dhcpy6d/volatile.sqlite .dump

so that you can view the DHCP leases in the database. SQLite commands are described in Command Line Shell For SQLite.

ISC DHCPv6 server on RHEL6 Linux

RHEL6's ISC_DHCP server (install by: yum install dhcp) is configured by the file /etc/dhcp/dhcpd6.conf. An example configuration file from the dhcp RPM is in the file /usr/share/doc/dhcp-4.1.*/dhcpd6.conf.sample.

By convention, DHCPv6 subnets at DTU ought to contain at most 4096 IPv6 addresses (limited by switch lookup tables of max. 4096 entries). The DTU IPv6 conventions are thus:

  • Network scope/type (DTU):(inst):yyyy::
  • Network prefix: /64

In the /etc/dhcp/dhcpd6.conf file a subnet6/range6 declaration may look like:

subnet6 2001:878:200:xxxx::/64 {
      range6 2001:878:200:xxxx:yyyy::/116;
}

The /116 range (i.e., 128-116=12 bits or 4096 addresses) will restrict the IPv6 range to at most 4096 clients, the reason being that most network switches cannot handle more than this number of MAC-addresses in their internal tables.

Managing DHCPv6 clients with the ISC DHCPv6 server

In many organizations the ability to identify client computers on the network will be required for IT security reasons. Therefore we want to restrict our DHCP servers so that they grant addresses only to registered and authorized client computers. In the ISC_DHCP server this is done in the configuration file (see man dhcpd.conf) by:

deny unknown-clients;

Unfortunately, the ISC_DHCP DHCPv6 server (version 4.1.1 in RHEL6) appears to be buggy and the deny unknown-clients configuration has no effect. Please see this mailing list thread DHCPv6: deny unknown-clients doesn't work.

Linux DHCP clients and /etc/resolv.conf

On UNIX and Linux hosts, the DHCPv6 client instance has to run as a separate process from the DHCPv4 one, and the two processes race each other to update the /etc/resolv.conf file. The NetworkManager should handle this correctly (testing needed).

IT-wiki: IPv6_configuration (last edited 2017-05-26 13:31:24 by OleHolmNielsen)