i read the forum and i found questions (and answers) about where IID of R1’s interface f0/0 come from ? (because there is no range IID configured in the DHCPv6 stateful pool, like we know with IPV4)
Answer is: cisco does it randomly on R1, is not it ?
But my question is about configuring F0/0’s IID on the server DHCPV6; this is static configuration Rene use 0:0:0:1 for the lesson, but in production that seems too trivial and it would be better for security/privacy if we could use also a random IID, is not it ?
So i am surprised (with the IOS versions i am using) that cisco do not offer the option to generate a random IID for configuring static GUA with a given prefix on the router interfaces
I google a little but i dont find any answer to my question
Do i miss something ?
Regards
When implementing DHCPv6 in a stateful manner, yes, it looks like Cisco assigns the Interface ID of the client randomly. How this is assigned really depends on the operating system being used by the host. Some, like Windows, may use the eui-64 method to determine the IID for the GUAs for example.
Yes this is true, and this is confirmed in RFC4941 that a randomly assigned IID provides an improved level of privacy. However, this is the case for the client IPv6 addresses assigned via DHCPv6. The IID of the F0/0 interface of the DHCPv6 server must be static and cannot be randomly assigned, in order for DHCPv6 hosts to reach it.
Now you may say that using the ipv6 nd managed-config-flag command will tell the host where to find the DHCPv6 server, even if the GUA address is randomly assigned. In this particular case, the DHCPv6 server is the same as the default router, so this would work. However, in most cases the DHCPv6 server is a centralized server (not on the same subnet as the hosts) and is required to have a static IPv6 address so it can be reached.
The randomization of the IID of DHCPv6 hosts involves privacy issues that have more to do with collecting information about individuals and their habits, where they go, from where they connect and so on. These privacy issues don’t have such a great impact on the DHCPv6 server, as this is simply a server that is not vulnerable to such privacy issues.
For servers and services, it is always best practice to have a statically assigned GUA or a constant DNS record that points to the valid IPv6 address so that they are accessible all the time.
The true thing is: when you dive in DHCPv6, this is much more complex than DHCPv4. So i think this WAS one of the reasons not to introduce DHCPv6 in your company !!!
For those who are interesting i recommand 2 links from Pepelnjak
and
my post was not clear.When a host use DHCPv6 (is forced to) it receives an ipv6 IID from the server DHCPv6. This IID is built randomly by the server and sent to the host: and the server stores the binding with this host. The question was: independently of DHCP (v6), when you assign a static addr to an interface why IOS does not offer a option to set IID randomly ?
if you read the pepelnjak’s papers above, written in 2012 you will find
“At the moment (2012), DHCPv6 cannot be used to send the prefix length …to IPv6 hosts”
I wonder why DHCPv6 was built in a so complex way.
First, you have to use ND RA to send prefix/length and to force dhcpv6 with flag M=1 and prefix flag A=1 and prefix flag L=1
Second, the server dhcpv6 has to build randomly the IID and send it to the host
Is it right ?
Pepelnjak said “at the moment”, so what is the situation in 2020 ? 8 years later
It’s always great to see your posts, and to spend the time looking deeper into the concepts of IPv6!
Thanks for sharing those posts with us.
The answer here is “I don’t know”. This has to do with the policies adopted by each individual vendor and the way the operating system of the device is configured. Typically, if SLAAC is used, a Cisco device will use EUI-64 to generate its IID even for the global unicast address. A Microsoft Windows PC for example, will by default use a random interface ID, but can be configured to use the EUI-64 process. As far as I know Cisco devices cannot be configured to create a random IID. It’s not ideal from a privacy perspective, but there you go.
An effort has been made in IPv6 to disassociate the prefix length from the actual address. Unlike IPv4, where the subnet mask was an absolutely necessary component of the address, the prefix length here is something a little less connected. This is evident from comments I made in this other post responding to another query you had.
The prefix length is always provided by the default router via the RA.
I think the reasoning behind this architecture is to try to make IPv6 as “plug and play” as possible. What I mean is, if everything is set to the default, an IPv6 device plugged in to an IPv6 network, will automatically gain its default gateway and obtain network connectivity without a single configuration from a human being. This philosophy is phenomenal if you think about it, because from now on, new devices (TVs, cameras, refrigerators, washers, dryers, lights, cars, alarm systems, traffic signs, sensors, etc, etc, etc, etc…) will all automatically obtain network connectivity. Do you want to go in and configure each one? Or configure each network to function appropriately? These will all connect by default.
The whole concept behind all of this is to make future networks, which will be networks with devices that don’t have a direct human-computer interface, obtain network connectivity with zero configuration. In order to achieve this “simplicity” it was necessary to create a more complex autoconfiguration concept for such networks. For networks that require more information than is available from the autoconfig, like more traditional PCs, IP phones, mobile phones, laptops etc, such as DNS, and additional DHCP options, the additional functionality of DHCPv6 is added on top of the autoconfig capability.
Great lesson! When I tried this lab today on GNS3 (2.2.25) using VIRL images, specifically IOSv 15.7 routers, concerning the stateless configuration, my stateless host could not compute a Global unicast ipv6 address unless i configured it first with the ipv6 address autoconfig command. If I did the stateless DHCP server first, then tried to enable autoconfig on my stateless host it would not compute a Global unicast address only a link-local. Is there a reason for this?
An IPv6 interface will compute a global unicast IPv6 address only if the ipv6 address autoconfig command is issued AND there is an active IPv6 router on that subnet. So your first statement makes sense, that no IPv6 global unicast address is computed unless that command is issued on the interface.
Your second statement however shouldn’t be so. If you have the DHCPv6 stateless configuration on the DHCPv6 router configured, then R2 should be able to compute its global unicast IPv6 address. If no IPv6 global unicast address can be computed, then that means that R2 is not able to receive any RA messages from the DHCPv6 router. Can you confirm that your configuration is correct? You can also use the debug commands used in the lesson to see if the information request is being received by the DHCPv6 router.
Let us know how you get along so that we can help you further in troubleshooting.
Hi,
I’m trying to sort out an issue with DHCPv6 Lease times.
My issue is how do I set a lease to infinite.
The default Lease time for Cisco kit is 30 days, i would like to make it like a static address.
I’ve tried the information refresh infinite but that doesn’t appear to change the 30 days.
I went into one of my production ISR 4331 routers and created an IPv6 DHCP pool called “laz”.
I attempted to change the information refresh infinite command, and I was able to do so:
R1(config)#ipv6 dhcp pool laz
R1(config-dhcpv6)#information refresh infinite
R1(config-dhcpv6)#exit
R1(config)#exit
R1#show ipv6 dhcp pool
DHCPv6 pool: laz
Information refresh: 4294967295
Active clients: 0
R1#
You can see that the information refresh is set to 4294967295. The value for the refresh time interval is represented by a 32-bit value. According to RFC 8415, when this 32-bit number is set to all ones, the value is interpreted as infinity. This means that the information refresh value of 4294967295, which is 2^32 which is indeed the decimal number that corresponds to a 32-bit number of all ones, thus it means infinity.
What do you see on your device that indicates that this configuration doesn’t change the DHCPv6 behavior? Let us know so that we can further help you in your troubleshooting procedures.
As we verify #show ipv6 dhcp pool on DHCPV6 Server , the STATEFUL DHCP pool is showing Active Clients where as STATELESS DHCP pool is showing Active Clients = 0, even though STATELESS DHCPV6 client received IPV6 address through AUTOCONFIG. Please explain if any config is missing.
When configuring DHCP pools for use with stateless DHCP, the DHCP server is not actually managing IPv6 addresses. It is just providing supplementary information such as DNS server addresses to the stateless clients. Since no actual IPv6 addresses are being provided by the DHCP pool, the “active client” number remains zero. An active client is only one for which IPv6 addresses are actively managed.
very interesting discussion and lab. I’m trying to setup a similar IPV6 dhcp stateful environment using also a dhcp relay router so dhcp server and client are not on the same segment.
For now I have some problems because router acting as client is not able to get also the ipv6 address from dhcp; it seems that dhcp server is receiving request and seems reply…but in some parts the comunication is broken
Do you have in plan to describe in a lesson lab also this type of case?
That’s a good exercise to do. You can take a look at the following thread in Cisco’s community that describes how to set up a DHCPv6 relay.
Remember that for DHCPv6, it is possible to have your local router deliver the IPv6 prefix to the client, and still use DHCPv6 relay for other network parameters such as DNS server for example. So even if you do enable the relay feature, you may not be getting your IPv6 addresses from the relayed DHCPv6 server, but from the local router. In order to ensure that your IPv6 addresses are being delivered by the DHCPv6 server, you can use the no-autoconfig keyword as used in this lesson.
Can you share some more details of the specific trouble you are facing in your particular implementation? Maybe we’ll be able to help you further…
Hello Laz,
Thanks a lot for your suggestion that confirmed my experience on the Lab.
My issue at the end was a trivial routing problem due to the mechanism how the DHCP relay router send packet to DHCP server , using Always as source ip the wan interface and not the interface facing clients
I’ll send as soon as possibile a description of my Lab and a synthesis of configs applied.
Just a note : for my experience using a Cisco iOS router to simulate an IPv6 client It Is Better to not enable IPv6 unicast-routing as with routing enabled i was not able ti have a a vallid default route installed.
Thanks for sharing your solution! Looking forward to seeing your description of the lab for more detailed info.
Yes, thanks for pointing that out. That would be best practice since most IPv6 hosts, such as a PC or a mobile device are not capable of IPv6 routing, so that would be a more accurate simulation.
It seems that your device simply doesn’t support the DHCP option for IPv6 addresses. There are indeed some IOS versions that will not support this. Can you share your IOS version with us so we can verify?
The 7200 series routers are indeed older routers with an end of sale data in 2012 and end of support date of 2017. Although they do support some IPv6 features, I believe that they are limited, and this is why you do not find the command in the CLI.
To confirm this I tried going into the archived data section of the Cisco Feature Navigator to find the exact features that the device supports, however, I was unable to find it, or the service was down at the time. Cisco states that the data in the archived section may be incomplete, so I was unable to confirm. However, you can attempt to go to this Cisco tool and determine if the configuration of an IPv6 address on an interface via DHCP is supported.
