Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
https://forum.ivorde.com/

Junos router advertisements - Unix IPv6 stateless autoconfiguration via SLAAC
https://forum.ivorde.com/junos-router-advertisements-unix-ipv6-stateless-autoconfiguration-via-slaac-t18771.html
Page 1 of 1

Author:  admin [ Mon Jun 23, 2014 5:23 am ]
Post subject:  Junos router advertisements - Unix IPv6 stateless autoconfiguration via SLAAC

One of the differences brought by IPv6 is the Extended Unique Identifier (EUI) (RFC2373). EUI-64 allows a host to assign iteslf a unique 64-Bit IP Version 6 interface identifier - based on it's MAC address. This algorithm is used to generate the link local IPv6 address and can also be used with a stateless mechanism.

With SLAAC (Stateless Address Auto Configuration), a host sitting in a layer2 domain assigns that specific interface a global IPv6 address based on a router-advertisement received from a router sitting in the same domain.

Along with the address, the host can also install a default route via that specific router.

While this method has very serious security implications ( as a rogue DHCP server / arp poisoning ), sometimes it is really necessary.

Configuring router-advertisment in Junos:
Code:
# show protocols router-advertisement                 
interface vlan.10 {
    max-advertisement-interval 60;
    min-advertisement-interval 10;
    other-stateful-configuration;
    prefix 2002:1470:7012:1::/64 {
        on-link;
        autonomous;
    }
}


Below is packet dump of this RA:
Code:
11:02:39.508838 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::2e21:72ff:fec6:c188 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
        hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 180s, reachable time 0s, retrans time 0s
          source link-address option (1), length 8 (1): 2c:21:72:c6:c1:88
          prefix info option (3), length 32 (4): 2002:1470:7012:1::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s


About the options in router advertisement:
- Autonomous (prefix "A" flag): permits the host to use SLAAC and assign it'self an IPv6 address based on the interface's MAC address, within the /64 prefix (it is useless to use it with longer prefixes)
- " other-stateful-configuration" - use the originator of the RA as a default gateway.

To note: This procedure has serious security implications. Read the links at the end for more information.

When Router-Advertisement protocol is disabled in Junos, a new RA packet is sent with "router lifetime 0s" - meaning "Stop using me as your default router".

Interesting reads:
http://blog.ipspace.net/2012/11/ipv6-router-advertisements-deep-dive.html
http://www.fehcom.de/ipnet/ipv6/ipv6-ra.pdf
https://tools.ietf.org/html/rfc5175
It's up to each organization to decide if state(less|ful) (auto)configuration mechanism will be used to assign IPv6 inside it's own netork, mostly based on the culture, information and security features available in each case.

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/