|
Topic review - Junos router advertisements - Unix IPv6 stateless autoconfiguration via SLAAC
| Author |
Message |
|
Post subject: Junos router advertisements - Unix IPv6 stateless autoconfiguration via SLAAC |  Posted: Mon Jun 23, 2014 5:23 am |
|
|
One of the differences brought by IPv6 is the Extended Unique Identifier (EUI) (RFC2373). EUI-64 allows a host to assign iteslf a unique 64-Bit IP Version 6 interface identifier - based on it's MAC address. This algorithm is used to generate the link local IPv6 address and can also be used with a stateless mechanism. With SLAAC (Stateless Address Auto Configuration), a host sitting in a layer2 domain assigns that specific interface a global IPv6 address based on a router-advertisement received from a router sitting in the same domain. Along with the address, the host can also install a default route via that specific router. While this method has very serious security implications ( as a rogue DHCP server / arp poisoning ), sometimes it is really necessary. Configuring router-advertisment in Junos: Code: # show protocols router-advertisement
interface vlan.10 {
max-advertisement-interval 60;
min-advertisement-interval 10;
other-stateful-configuration;
prefix 2002:1470:7012:1::/64 {
on-link;
autonomous;
}
} Below is packet dump of this RA: Code: 11:02:39.508838 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::2e21:72ff:fec6:c188 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 180s, reachable time 0s, retrans time 0s
source link-address option (1), length 8 (1): 2c:21:72:c6:c1:88
prefix info option (3), length 32 (4): 2002:1470:7012:1::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
About the options in router advertisement: - Autonomous (prefix "A" flag): permits the host to use SLAAC and assign it'self an IPv6 address based on the interface's MAC address, within the /64 prefix (it is useless to use it with longer prefixes) - " other-stateful-configuration" - use the originator of the RA as a default gateway. To note: This procedure has serious security implications. Read the links at the end for more information. When Router-Advertisement protocol is disabled in Junos, a new RA packet is sent with "router lifetime 0s" - meaning "Stop using me as your default router". Interesting reads: http://blog.ipspace.net/2012/11/ipv6-router-advertisements-deep-dive.htmlhttp://www.fehcom.de/ipnet/ipv6/ipv6-ra.pdfhttps://tools.ietf.org/html/rfc5175It's up to each organization to decide if state(less|ful) (auto)configuration mechanism will be used to assign IPv6 inside it's own netork, mostly based on the culture, information and security features available in each case. One of the differences brought by IPv6 is the Extended Unique Identifier (EUI) (RFC2373). EUI-64 allows a host to assign iteslf a unique 64-Bit IP Version 6 interface identifier - based on it's MAC address. This algorithm is used to generate the link local IPv6 address and can also be used with a stateless mechanism.
With SLAAC (Stateless Address Auto Configuration), a host sitting in a layer2 domain assigns that specific interface a global IPv6 address based on a router-advertisement received from a router sitting in the same domain.
Along with the address, the host can also install a default route via that specific router.
While this method has very serious security implications ( as a rogue DHCP server / arp poisoning ), sometimes it is really necessary.
Configuring router-advertisment in Junos:
[code]# show protocols router-advertisement
interface vlan.10 {
max-advertisement-interval 60;
min-advertisement-interval 10;
other-stateful-configuration;
prefix 2002:1470:7012:1::/64 {
on-link;
autonomous;
}
}[/code]
Below is packet dump of this RA:
[code]
11:02:39.508838 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::2e21:72ff:fec6:c188 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 180s, reachable time 0s, retrans time 0s
source link-address option (1), length 8 (1): 2c:21:72:c6:c1:88
prefix info option (3), length 32 (4): 2002:1470:7012:1::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
[/code]
About the options in router advertisement:
- Autonomous (prefix "A" flag): permits the host to use SLAAC and assign it'self an IPv6 address based on the interface's MAC address, within the /64 prefix (it is useless to use it with longer prefixes)
- " other-stateful-configuration" - use the originator of the RA as a default gateway.
To note: This procedure has serious security implications. Read the links at the end for more information.
When Router-Advertisement protocol is disabled in Junos, a new RA packet is sent with "router lifetime 0s" - meaning "Stop using me as your default router".
Interesting reads:
[url]http://blog.ipspace.net/2012/11/ipv6-router-advertisements-deep-dive.html[/url]
[url]http://www.fehcom.de/ipnet/ipv6/ipv6-ra.pdf[/url]
[url]https://tools.ietf.org/html/rfc5175[/url]
It's up to each organization to decide if state(less|ful) (auto)configuration mechanism will be used to assign IPv6 inside it's own netork, mostly based on the culture, information and security features available in each case.
|
|
|
  News  Site map  SitemapIndex  RSS Feed Channel list
|
|
