Tuesday, January 14, 2014

Another reveiw of DHCPv6+SLAAC with a Fortigate

Playing around with  FortiOS and the DHCPv6 server. I had a few request for some more DHCPv6 configurations & examples.

I wanted to go over some of the possible means for automatic ipv6 addressing;

 SLAAC ( no DHCPv6 )

A ipv6 aware machine can gather it’s addressing via any of the above methods, both stateful or stateless. Within stateless, you can have the machine gather DHCPv6  provided  information such as;
  • Domain-name
  • DNS-server
  • SIP-servers
  • NIS-servers
  • NTP-server
  • Etc

A client only configured for DHCPv6, can also gather the same information plus his ipv6 prefix via the DHCPv6 services. This is known as stateful vrs SLAAC , which is  aka   "autoconf". SLAAC is support by almost all common  ipv6  aware  OSes by default.  The  DHCPv6-clients are limited  mainly to windows, linux, freebsd and opensolaris, and a few router/switches vendors.

In this post, we are configuring a freebsd host for  “stateless + DHCP” . This  host is running 9.2 Freebsd on a unpatched kernel.

And the fortigate is running  the most current codeset , and in a multi-vdom  configuration.

1st let’s look at the fortigate  ipv6 interface config;

Now, let’s look at the  DHCPv6 server config;

You will notice a few things between these 2 outputs;

  • We have the manage flag enable
  • We have a prefix being advertised
  • Our dhcpv6 server has a scope ( I will talk about this later )
  • Plus a few other items ( dns server + domain )

Okay now let’s look at the DHCP6c client config on the freebsd host { dhcp6c.conf  };

note: This client is only requesting the domain-name and dns-servers

By execution of the client within the foreground and with debugging set, we can now see what happens;

So this client that's using SLAAC for the prefix delegation & auto-addressing and DHCPv6 for other information. We can confirm this by looking the eui64 address and the prefix learned via router_advertisements.

This is typically the method used  in most  ipv6 networks. To manage a full  state-full DHCPv6 & for a typical  /64 worth of address space, would be disastrous on a typical server. So a combination of stateless and dhcpv6 is the simpler means for controlling a ipv6 LAN addressing requirements.

note: Be aware that SLAAC does not provide anything outside of the local prefix.

One thing I want to point out, a dhcpv6-client can ask a lot of information that might not be supported by the dhcpv6-server. That’s fine & dandy, the dhcpv6-server will answer only with information that it supports. By modifying my request from the client for sip and other information, the  fortigate still only answers on what it's capable of delivering.

Take these 2  tshark  outputs ( out was truncated )

( request )


So with our fortigate, it ‘s configurable  options under  “config system dhcpv6 server”, are  very limited in  what it can offer to a DHCPv6 client.

In most environments that I've worked in, we apply a small DHCPv6 scope for any devices that are mis configure for  DHCPv6 only or for devices that don't support SLAAC. This allows for these devices to connect and uses ipv6 resources.

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ?   ?  )=
       /     \

No comments:

Post a Comment