Saturday, 18 October 2014

IPv6 SLAAC GNS3 Example

Like IPv4, there are a number of different ways that a host can be addressed in IPv6; the two most common in IPv4 are static addressing and via DHCP.  DHCP is often preffered as it not only provides a method of dynamically assigning addresses, it also provides a way to assign the host devices other
service information like DNS servers, domain names, and a number of different custom information (DHCP options).

While IPv6 static addressing works exactly the same as IPv4 static addressing, the other methods are quite different than IPv4.

To perform address configuration on IPv6 there are a couple of  methods generally divided into two categories : Stateless and Stateful.

Stateful Address Assignment means the DHCP server would be responsible for assigning ip address to the client devices and would also keep a track/record of the client and the ip addresses assigned to them. (This is also called Stateful DHCP address assignment).

With Stateless Address Assignment, the client would generate its own IPv6 address based on the address prefix advertised on the vlan (Interface). Here no DHCP server is involved and the client ip address is not tracked. SLAAC (Stateless Address Auto-config) is this method in which the client devices will generate an address for themselves based on the network prefix advertised in the Router Advertisement (RA) on the local network, by default SLAAC does not provide anything to the client except the IPv6 address and the default gateway, though you can still use DHCP with SLAAC i.e Stateless DHCP to provide the client with other dhcp options like domain name and stuff, however since this being Stateless the dhcp server does not track/record any client device and the ip address assignment.

SLAAC is implemented on the IPv6 client by listening for these local RA’s and then taking the prefix that is advertised to form a unique address that can be used on the network.
For this to work, the prefix that is advertised must advertise a prefix length of 64 bits (i.e., /64).

RA messages are sent by default by most IPV6 routers; these messages are sent out periodically by the router and include information including:

One or more IPv6 prefixes (Link-local scope)
Prefix lifetime information
Flag information
Default device information (Default router to use and its lifetime)


















With SLAAC it uses the 64 bit prefix information advertised in the RA and will then dynamically form a host identifier that is 64 bits long and will be suffixed to the end of the advertised prefix to form an IPv6 address.

Originally, the host identifier was formed using the EUI-64 rules (the same that are used to form link local addresses) and many devices still use this method. However, some Microsoft operating systems by default do not use this original method. Instead, they take advantage of some additional privacy extensions that were defined in RFC4941.

Lets see how this was done using the EUI-64 process.

As we can see in the above captures the prefix advertised is 2000:2000::/64 in the Router Advertisement.  Lets assume a client whose mac address is : 0050:7966:6802.

The first step of EUI-64 conversion is to split the MAC address in half and place FF:FE in the middle which would be like: 0050:79FF:FE66:6802

Then flip the seventh bit for the resultant from the left i.e most significant byte. For us the most significant byte is 00, when converting it into binary we get 00000000, flipping the seventh bit from left we get : 00000010 in hex this becomes 02.

Thus the final host identifier becomes: 0250:79FF:FE66:6802

Now when the prefix is added to the host identified the final IPv6 address of the client becomes: 2000:2000::0250:79FF:FE66:6802/64.

I have setup a Lab using GNS3 and lets see the results that I get.































Following is the configuration done on Router 1 (Here Router 1 is the Gateway for the vlan 10 and vlan 20).


R1#show run
Building configuration...

Current configuration : 1248 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
ipv6 unicast-routing
!
!
!
interface FastEthernet0/0
 switchport mode trunk
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface Vlan1
 no ip address
!
interface Vlan10
 no ip address
 ipv6 address 2000:1000::1/64
 ipv6 enable
!
interface Vlan20
 no ip address
 ipv6 address 2000:2000::1/64
 ipv6 enable
!
!
no ip http server
ip forward-protocol nd
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end



Router 2 which is just acting as a L2 switch for our Scenario:


R2#show run
Building configuration...

Current configuration : 1154 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
interface FastEthernet0/0
 switchport mode trunk
!
interface FastEthernet0/1
 switchport access vlan 10
!
interface FastEthernet0/2
 switchport access vlan 10
!
interface FastEthernet0/3
 switchport access vlan 20
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface Vlan1
 no ip address
!
!
no ip http server
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end



In this setup PC1 and PC2 are in vlan 10 while PC3 is in vlan 20. I am using GNS3 VPCS to simulate Host devices. Please refer to the previous post on VPCS for more information.

http://lets-start-to-learn.blogspot.in/2014/10/using-vpcs-in-gns3-to-replicate-host.html


Validating the addresses in the host devices we can see that host devices has picked up related IPv6 address using SLAAC.

VPCS[3]> 1
VPCS[1]> show ipv6

NAME              : VPCS[1]
LINK-LOCAL SCOPE  : fe80::250:79ff:fe66:6800/64
GLOBAL SCOPE      : 2000:1000::2050:79ff:fe66:6800/64
ROUTER LINK-LAYER : cc:00:29:b8:00:00
MAC               : 00:50:79:66:68:00
LPORT             : 20000
RHOST:PORT        : 127.0.0.1:30000
MTU:              : 1500

VPCS[1]> 2
VPCS[2]> show ipv6

NAME              : VPCS[2]
LINK-LOCAL SCOPE  : fe80::250:79ff:fe66:6801/64
GLOBAL SCOPE      : 2000:1000::2050:79ff:fe66:6801/64
ROUTER LINK-LAYER : cc:00:29:b8:00:00
MAC               : 00:50:79:66:68:01
LPORT             : 20001
RHOST:PORT        : 127.0.0.1:30001
MTU:              : 1500

VPCS[2]> 3
VPCS[3]> show ipv6

NAME              : VPCS[3]
LINK-LOCAL SCOPE  : fe80::250:79ff:fe66:6802/64
GLOBAL SCOPE      : 2000:2000::2050:79ff:fe66:6802/64
ROUTER LINK-LAYER : cc:00:29:b8:00:00
MAC               : 00:50:79:66:68:02
LPORT             : 20002
RHOST:PORT        : 127.0.0.1:30002
MTU:              : 1500
































The usefulness of SLAAC in any given organization greatly depends on the tracking requirements; because SLAAC does not provide direct tracking the way a stateful DHCP server would, there is no quick way to determine which machine traffic is coming from without tracking the MAC addresses of the clients and calculating their created IPv6 address. This is further complicated by operating systems (like Windows 7) that use SLAAC data protection extensions by default, making tracking even harder, if not impossible, without looking at the addresses assigned to each device. SLAAC isn’t without a purpose, however. On many small networks there is no real need for this specific tracking and the use of SLAAC can simplify the addressing of machines and allow them to access public sites (with or without Network Address Translation (NAT)).




Hope this was helpful :)


Labels:

2 Comments:

At 12 November 2019 at 00:42 , Blogger martin velly said...

This is realy a Nice blog post read on of my blogs It is really helpful article please read it too my blog Firefox has stopped working. you can visits our websites or toll free no +1-866-558-4555. solve your problem fastly.

 
At 17 April 2021 at 03:32 , Blogger sherazabbasi said...

You have raised an important issue..Thanks for sharing..I would like to read more current affairs from this blog..keep posting..
Fe cc real domain

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home