Playing around with
FortiOS and the DHCPv6 server. I had a few request for some more DHCPv6
configurations & examples.
I wanted to go over some of the possible means for automatic
ipv6 addressing;
DHCPv6+SLAAC
|
DHCPv6
|
SLAAC ( no DHCPv6 )
|
A ipv6 aware machine can gather it’s addressing via any of
the above methods, both stateful or stateless. Within stateless, you can have
the machine gather DHCPv6 provided information such as;
- Domain-name
- DNS-server
- SIP-servers
- NIS-servers
- NTP-server
- Etc
A client only configured for DHCPv6, can also gather the same
information plus his ipv6 prefix via the DHCPv6 services. This is known as stateful vrs SLAAC , which is aka "autoconf". SLAAC is support by almost all common ipv6 aware OSes by default. The DHCPv6-clients are limited mainly to windows, linux, freebsd and opensolaris, and a few router/switches vendors.
In this post, we are configuring a freebsd host for “stateless + DHCP” . This host is running 9.2 Freebsd on a unpatched
kernel.
And the fortigate is running
the most current codeset , and in a multi-vdom configuration.
1st let’s look at the fortigate ipv6 interface config;
Now, let’s look at the
DHCPv6 server config;
You will notice a few things between these 2 outputs;
- We have the manage flag enable
- We have a prefix being advertised
- Our dhcpv6 server has a scope ( I will talk about this later )
- Plus a few other items ( dns server + domain )
Okay now let’s look at the DHCP6c client config on the
freebsd host { dhcp6c.conf };
note: This client is only requesting the domain-name and dns-servers
By execution of the client within the foreground and with debugging
set, we can now see what happens;
So this client that's using SLAAC for the prefix delegation & auto-addressing and DHCPv6 for other information. We can confirm this by looking the eui64 address and the prefix learned via router_advertisements.
This is typically the method used in most ipv6 networks. To manage a full state-full DHCPv6 & for a typical /64 worth of address space, would be disastrous on a typical server. So a combination of stateless and dhcpv6 is the simpler means for controlling a ipv6 LAN addressing requirements.
note: Be aware that SLAAC does not provide anything outside of the local prefix.
One thing I want to point out, a dhcpv6-client can ask a lot
of information that might not be supported by the dhcpv6-server. That’s fine
& dandy, the dhcpv6-server will answer only with information that it
supports. By modifying my request from the client for sip and other information, the fortigate still only answers on what it's capable of delivering.
Take these 2 tshark outputs ( out was truncated )
( request )
(response)
So with our fortigate, it ‘s configurable options under “config system dhcpv6 server”, are very limited in what it can offer to a DHCPv6 client.
In most environments that I've worked in, we apply a small DHCPv6 scope for any devices that are mis configure for DHCPv6 only or for devices that don't support SLAAC. This allows for these devices to connect and uses ipv6 resources.
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( ? ? )=
o
/ \
No comments:
Post a Comment