Mailing List Archive

Hi,

> 1) What's the pattern with which addresses are generated/assigned? Are
> they sequential (fc00::1, fc00::2, etc.)? Random? Something else?
>
We use our dhcpy6d (http://dhcpy6d.ifw-dresden.de) which allows 4
different address categories:
- sequential range like fd00::1, fd00::2
- completely random /64 like with privacy extensions:
fd00::3d2a:563f:76f1:d94f
- plain MAC address like fd00::2034:d4f1:439a
- some arbitrary id number given in client configuration like fd00::1,
fd00::3421

See http://dhcpy6d.ifw-dresden.de/documentation/config/addresses for
details.
This way one can hand out for example 2 addresses to clients, one random
privacy-aware global and one range or MAC-based for internal use. The
bad news is that only Windows 7+ is capable of handling more than one
address given by DHCPv6 out of the box. Linux has to be tweaked not to
use Network-Manager and MacOS fails completely - maybe would work with
some dhclient or dibbler-client.

> 2) What about their stability? Is there any intent/mechanism for them to
> be as "stable" as possible? Or is it usual for hosts to get a new
> address for each lease?

MAC and ID based addresses are of course stable, the range based ones
intend to be too and the random ones are regenerated whenever a lease
expired.

Best regards
Henri


--
Henri Wahl

IT Department
Leibniz-Institut für Festkörper- u.
Werkstoffforschung Dresden

tel. (03 51) 46 59 - 797
email: h.wahl@ifw-dresden.de
http://www.ifw-dresden.de

IFW Dresden e.V., Helmholtzstraße 20, D-01069 Dresden
VR Dresden Nr. 1369
Vorstand: Prof. Dr. Ludwig Schultz, Dr. h.c. Dipl.-Finw. Rolf Pfrengle

It's also worth noting that the old presumption that MAC-based
interface identifiers are normal and anything else is strange is
obsolete. See http://tools.ietf.org/html/draft-ietf-6man-ug-06
which is approved in the RFC queue already and
http://tools.ietf.org/html/draft-ietf-6man-default-iids-00
for a possible future recommendation.

These documents are mainly written with SLAAC in mind rather
than DHCPv6, but I don't think that changes the principles.
Personally I would avoid "sequential range like fd00::1, fd00::2"
because it exposes you to easy scanning attacks. Random seems
best except for servers.

Regards
Brian Carpenter

On 02/02/2014 09:18, Henri Wahl wrote:
> Hi,
>
>> 1) What's the pattern with which addresses are generated/assigned? Are
>> they sequential (fc00::1, fc00::2, etc.)? Random? Something else?
>>
> We use our dhcpy6d (http://dhcpy6d.ifw-dresden.de) which allows 4
> different address categories:
> - sequential range like fd00::1, fd00::2
> - completely random /64 like with privacy extensions:
> fd00::3d2a:563f:76f1:d94f
> - plain MAC address like fd00::2034:d4f1:439a
> - some arbitrary id number given in client configuration like fd00::1,
> fd00::3421
>
> See http://dhcpy6d.ifw-dresden.de/documentation/config/addresses for
> details.
> This way one can hand out for example 2 addresses to clients, one random
> privacy-aware global and one range or MAC-based for internal use. The
> bad news is that only Windows 7+ is capable of handling more than one
> address given by DHCPv6 out of the box. Linux has to be tweaked not to
> use Network-Manager and MacOS fails completely - maybe would work with
> some dhclient or dibbler-client.
>
>> 2) What about their stability? Is there any intent/mechanism for them to
>> be as "stable" as possible? Or is it usual for hosts to get a new
>> address for each lease?
>
> MAC and ID based addresses are of course stable, the range based ones
> intend to be too and the random ones are regenerated whenever a lease
> expired.
>
> Best regards
> Henri
>
>

Hi,

> It's also worth noting that the old presumption that MAC-based
> interface identifiers are normal and anything else is strange is
> obsolete. See http://tools.ietf.org/html/draft-ietf-6man-ug-06
> which is approved in the RFC queue already and
> http://tools.ietf.org/html/draft-ietf-6man-default-iids-00
> for a possible future recommendation.
>
For environments where the IPv4 address management is based on MACs the
transistion to IPv6 might be done easier if MACs still can be used.

> These documents are mainly written with SLAAC in mind rather
> than DHCPv6, but I don't think that changes the principles.
> Personally I would avoid "sequential range like fd00::1, fd00::2"
> because it exposes you to easy scanning attacks. Random seems
> best except for servers.
>
For internal addresses I would prefer anything not-random. If there is a
situation when one has to debug through larger amounts of IPv6 addresses
a bunch of random addresses will likely cause more confusion.
External client addresses should be random.

Regards
Henri


--
Henri Wahl

IT Department
Leibniz-Institut für Festkörper- u.
Werkstoffforschung Dresden

tel. (03 51) 46 59 - 797
email: h.wahl@ifw-dresden.de
http://www.ifw-dresden.de

IFW Dresden e.V., Helmholtzstraße 20, D-01069 Dresden
VR Dresden Nr. 1369
Vorstand: Prof. Dr. Ludwig Schultz, Dr. h.c. Dipl.-Finw. Rolf Pfrengle

Fernando

Wrt to the Cisco DHCPv6 server (CNR):
1) sequential or random per configuration (can send multiple IA_NA/IA_TA
if there are multiple prefixes configured for this link)
2) while client can send a 'hint' to re-use previous addresses, the server
can do the same thing, we called this 'affinity', as well if using IA_NA
(or course not applicable to IA_TA :-))

PD is the same

Hope this helps

-éric

On 31/01/14 22:00, "Fernando Gont" <fernando@gont.com.ar> wrote:

>Folks,
>
>I'm wondering about the following two aspects of different DHCPv6
>implementations out there:
>
>1) What's the pattern with which addresses are generated/assigned? Are
>they sequential (fc00::1, fc00::2, etc.)? Random? Something else?
>
>2) What about their stability? Is there any intent/mechanism for them to
>be as "stable" as possible? Or is it usual for hosts to get a new
>address for each lease?
>
>P.S.: I understand this is likely to vary from one implementation to
>another... so please describe which implementation/version you're
>referring to.
>
>Thanks!
>
>Best regards,
>--
>Fernando Gont
>e-mail: fernando@gont.com.ar || fgont@si6networks.com
>PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>

Infoblox uses the ISC DHCP code. I'm thin on details.

> 1) What's the pattern with which addresses are generated/assigned? Are
> they sequential (fc00::1, fc00::2, etc.)? Random? Something else?

The manual says "When the server grants IPv6 leases, it uses an
algorithm based on the DUID of the client."

> 2) What about their stability? Is there any intent/mechanism for them to
> be as "stable" as possible? Or is it usual for hosts to get a new
> address for each lease?

I've observed a system obtaining different IPv6 addresses when
presenting the same DUID. However, my impression is that hosts
usually retain the same address across time.

mark