IPv6 Foun­da­tion Part 5: IPv6 Con­fig­u­ra­tion, EUI-64, SLAAC & Dual Stack

IPv6 Foundation Part 5 - IPv6 Configuration
How IPv6 Con­fig­u­ra­tion works, What is EUI-64, How State­less Address Auto Con­fig­u­ra­tion works? Find your answers and more in the ulti­mate free IPv6 Mas­ter Class!

Table of Con­tents

About this course

So you are inter­est­ed in IPv6, which is absolute­ly great!

IPv6 is not only the future of net­work­ing, it is already here today! All the big play­ers on the Inter­net are already IPv6 enabled and it is now time for you to join the par­ty!

This course cov­ers all major aspects of the new Inter­net Pro­to­col and what changed, com­pared to IPv4. You will under­stand the fun­da­men­tals and be ahead of your peers that are still on the sink­ing ship of IPv4! As of today, there are no IPv4 address­es left and we have no oth­er option but to go ahead and deploy IPv6.

IPv6 Act Now

IPv6 Foun­da­tion Part 5: IPv6 Con­fig­u­ra­tion, EUI-64, SLAAC & Dual Stack

IPv6 Con­fig­u­ra­tion on your Devices

Now that you know all impor­tant basics about IPv6, let’s have some fun and jump into con­fig­u­ra­tion on some devices.

In the exam­ples I use some com­mon plat­forms such as Cis­co IOS, HP ProCurve, HP/H3C Comware, Juniper JUNOS, Apple MacOS, Microsoft Win­dows and Lin­ux.

Please feel free to do more research and test­ing using oth­er plat­forms. There are some nice lab sim­u­la­tors on the inter­net that can be used to con­fig­ure vir­tu­al or phys­i­cal routers with­out the need to pur­chase and run them in your home (which I did back when I learned about net­work­ing). You can also emu­late some rout­ing gear on Cisco’s Vir­tu­al Inter­net Rout­ing Lab (VIRL) and dif­fer­ent oper­at­ing sys­tems using com­mer­cial and free vir­tu­al­iza­tion soft­ware, such as Vir­tu­al­Box.

I learn best by a lot of prac­tice and play­ing around, maybe this works for you, too!

Types of IPv6 address assign­ment

IPv6 Configuration Options

How to con­fig­ure Sta­t­ic IPv6 Address­es

I put togeth­er a sta­t­ic con­fig­u­ra­tion com­par­i­son in the fol­low­ing table. As you can see, there is not much dif­fer­ence for the major net­work­ing ven­dors in regards to con­fig­u­ra­tion syn­tax.

Plat­form IPv4 IPv6

Cis­co IOS

interface vlan 23
ip address 172.23.5.1 255.255.255.0
interface vlan 23
ipv6 address 2001:db8::1/64

HP/H3C Comware

interface vlan 23
ip address 172.23.5.1 255.255.255.0
interface vlan 23
ipv6 address 2001:db8::1/64

HP ProCurve

interface vlan 23
ip address 172.23.5.1 255.255.255.0
interface vlan 23
ipv6 address 2001:db8::1/64

Juniper JUNOS

set interfaces ge-0/0/0 unit 0 family inet address 172.23.5.1/24
set interfaces ge-0/0/0 unit 0 family inet6 address 2001:db8:0:1::/64

How to gen­er­ate an IPv6 Link-Local Address

A link-local address is always con­fig­ured auto­mat­i­cal­ly for each link. It can also be con­fig­ures sta­t­i­cal­ly if you like. This has noth­ing to do with a glob­al address, like con­fig­ure 1 step ahead. Link-Local address­es are manda­to­ry, Glob­al or oth­er address­es on top are option­al.

Rules

1. the block from which the address is assigned is always fe80::/10.

Please note: yes, this /10 block is large but the pre­fix for the gen­er­at­ed Link-Local address is still always /64!

2. A Link-Local address has to be active for every inter­face on which IPv6 is enabled.

Link-Local address­es are need­ed for cru­cial net­work com­po­nents such as Neigh­bor Dis­cov­ery Pro­to­col (NDP) and DHCPv6.

Steps to gen­er­ate a Link-Local address:

  1. The host gen­er­ates an address out of fe80::/10 using EUI-64 (see next chap­ter)
  2. The host per­forms Dupli­cate Address Detec­tion (DAD) by send­ing an ICMPv6 Neigh­bor Solic­i­ta­tion mes­sage (NS) to the solicit­ed-node mul­ti­cast address belong­ing to the just gen­er­at­ed Link-Local address
  3. if no ICMPv6 Neigh­bor Adver­tise­ment mes­sage (NA) is received, nobody else is appar­ent­ly using the same address
  4. as long as Dupli­cate Address Detec­tion (DAD) is not suc­cess­ful and still run­ning, the new address is marked as ten­ta­tive and is not yet used

  5. the new Link-Local address is usable

How Pv6 Dupli­cate Address Detec­tion works

ICMPv6 Dupli­cate Address Detec­tion (DAD) is used to make sure a (gen­er­at­ed) address is unique
.

It is used with State­less Address Auto­con­fig­u­ra­tion, also known as SLAAC (see the fol­low­ing chap­ters) and Link-Local address­es (see the pre­vi­ous chap­ter)

How Dupli­cate Address Detec­tion works

  1. Neigh­bor Solic­i­ta­tion (NS) mes­sage is sent to their own solicit­ed-node mul­ti­cast address, that was gen­er­at­ed from the new­ly gen­er­at­ed IPv6 address.

    The source address is the unspec­i­fied address (::), as the unique­ness of new address is not proven yet

  2. Neigh­bor Adver­tise­ment (NA) mes­sage is received from anoth­er host, only in case the new address is already in use. This tells the DAD process that it failed and a dupli­cate address exists.

    The tar­get address for the Neigh­bor Adver­tise­ment mes­sage (NA) is the all nodes mul­ti­cast group ff02::1, because the tar­get does not use the new address yet, since Dupli­cate Address Detec­tion was not (yet) suc­cess­ful.

  3. Usu­al­ly — if no Neigh­bor Adver­tise­ment mes­sage is received because the address is indeed unique, it can be used and the DAD process ends suc­cess­ful­ly.

What is IPv6 EUI-64 Auto­con­fig­u­ra­tion

EUI-64 is the name of the method to gen­er­ate the 64 bit inter­face Iden­ti­fi­er
, which is used for auto-gen­er­at­ed address­es, such as a Link-Local address: fe80::xxxx:xxxx:xxxx:xxxx


In most imple­men­ta­tions the 48 bit inter­face MAC address is used
. Also unre­lat­ed num­bers can be used for secu­ri­ty rea­sons -> see IPv6 Pri­va­cy Exten­sions

How EUI-64 is per­formed

The inter­face MAC address in this exam­ple is: 00:12:7F:EB:6B:40
A MAC address is only 48 bits, but we need 64 bits for the host iden­ti­fi­er of an address with a /64 pre­fix. so to fill the remain­ing space:

EUI-64 Step 1
FFFE is placed in the mid­dle:

IPv6 EUI-64 Step 2

EUI-64 Step 2
The Universal/Local (U/L) bit is switched to 1, because the MAC address is glob­al­ly unique:

IPv6 EUI-64 Step 2

EUI-64 Result:
The new Link-Local address is: FE80::212:7FFF:FEEB:6B40

What are IPv6 Pri­va­cy Exten­sions

Reg­u­lar State­less Address Auto­con­fig­u­ra­tion (SLAAC) with EUI-64 uses the inter­face MAC address to gen­er­ate a Link-Local address. It can also be used to gen­er­ate a Glob­al address out of the scope that a router on the local­ly con­nect­ed LAN adver­tis­es via a ICMPv6 Router Adver­tise­ment (RA) mes­sage.

The host’s MAC address, or bet­ter: the net­work interface’s MAC address is the­o­ret­i­cal­ly glob­al­ly unique. There are sto­ries where mul­ti­ple net­work inter­face cards shared the same burned-in mac address, but this is not com­mon. It can hap­pen espe­cial­ly in vir­tu­al­ized envi­ron­ments.

If you like to read more on the dis­tri­b­u­tion of MAC address­es, you can use the free MAC address to ven­dor con­vert­er tool from Wire­shark. The down­side to this unique­ness is more the loss of pri­va­cy.

Secu­ri­ty con­cern -> The host would be track­able around the globe using this unique bit of the IP address!

How you can make sure you are not tracked glob­al­ly

Solu­tion A: use a ran­dom­ized inter­face iden­ti­fi­er instead of the MAC address, as defined in RFC4941

  • This approach is sup­port­ed by some DHCPv6 imple­men­ta­tions
  • It has has pri­va­cy ben­e­fits, but it makes cor­po­rate client man­age­ment more com­plex, such as trou­bleshoot­ing, log­ging etc. because a client can have dif­fer­ent address­es at the same time and these address­es can change con­stant­ly, so map­ping a client to a user will be dif­fi­cult.

Solu­tion B: Sta­ble Pri­va­cy Address­es as definied in RFC7217

  • The gen­er­at­ed address is not relat­ed to the client’s hard­ware MAC address, because it is not hard­ware based
  • The address stays the same on the same net­work, so cor­po­rate client man­age­ment is eas­i­er to accom­plish
  • The address changes as soon as the net­work is changed, for exam­ple by mov­ing from the cor­po­rate net­work to a hotel WiFi net­work. The device is not track­able.
  • This approach is usable for Link-Local, Unique Local (ULA) and Glob­al address scopes

How to do State­less Address Auto­con­fig­u­ra­tion (SLAAC)

State­less Address Auto­con­fig­u­ra­tion (SLAAC) is used for auto­mat­ic con­fig­u­ra­tion of hosts on an IPv6 net­work
. SLAAC uses the ICMPv6 Neigh­bor Dis­cov­ery Pro­to­col (NDP).

How State­less Address Auto­con­fig­u­ra­tion (SLAAC) is per­formed:

  1. First, a Link-Local address is gen­er­at­ed using EUI-64
  2. The host sends a Router Solic­i­ta­tion mes­sage (RS) to the “all routers” mul­ti­cast group (ff02::2)
  3. All routers on the local LAN reply with Router Adver­tise­ment mes­sages (RA) and announce the prefix(es) that are used on the link
  4. The host gen­er­ates an address in that pre­fix, with the host part (host iden­ti­fi­er) again cre­at­ed using EUI-64
(or ran­dom num­bers — see: Pri­va­cy Exten­sions)
  5. The host per­forms Dupli­cate Address Detec­tion (DAD) to make sure the new­ly gen­er­at­ed IPv6 address is indeed unique.
    As long as the Dupli­cate Address Detec­tion process (DAD) is not suc­cess­ful, the new address is marked as “ten­ta­tive” and is not used
  6. After DAD is suc­cess­ful, the address becomes active

The Tran­si­tion to IPv6 — going Dual Stack

Now that you know so many things about IP in all ver­sions, you might have one ques­tion — do I shut down IPv4 now, once I enable IPv6? How does the migra­tion work?

Well, because not every­body is able to use IPv6 yet, and not every­body is still able to use IPv4 due to the short­age of address­es, we are aim­ing to run dual stack for all our net­work ser­vices.

Dual Stack oper­a­tion means: using IPv6 side by side the cur­rent IPv4 imple­men­ta­tion.

We should only use tun­nels when absolute­ly nec­es­sary or for test­ing, but you should not use a non-native, tun­neled IPv6 con­nec­tion to pro­vide your ser­vices to cus­tomers.

Dual Stack can be used as a tran­si­tion path to IPv6-only. This may take a decade or so, before every­body is IPv6 enabled.

What does it mean to run IPv6 and IPv4 Dual Stack

Dual Stack pro­vides full reach­a­bil­i­ty for both address fam­i­lies:

IPv6-capa­ble hosts are con­fig­ured with IPv4 and IPv6

IPv4-only appli­ca­tions are only reach­able via IPv4

IPv6-only appli­ca­tions are only reach­able via IPv6

Which IP Ver­sion is used in a Dual Stack Envi­ron­ment for ini­ti­at­ing a new Con­nec­tion?

You are run­ning Dual Stack in your net­work to gain crit­i­cal insight into the new pro­to­col and keep your net­work up to date. Great! You also know which IPv6 address is used by default for a new­ly orig­i­nat­ed con­nec­tion. But in Dual Stack, which pro­to­col — IPv4 or IPv6 is used?

When ini­ti­at­ing a new con­nec­tion in a Dual Stack sce­nario the source pro­to­col is deter­mined by the fol­low­ing rules, whichev­er rule match­es first (tiebreak­er):

  1. A Native IPv6 con­nec­tion is used.
  2. A Native IPv4 con­nec­tion is used.
  3. If there are no native con­nec­tions, a NAT­ted IPv4 con­nec­tion is used.
  4. Final­ly, if noth­ing else is avail­able, a tun­neled IPv6 (6to4, …) con­nec­tion is used.

IPv6 Source Address Selec­tion

Hav­ing mul­ti­ple address­es per host and inter­face is very com­mon in IPv6! Have you been won­der­ing which address is used as the source for ini­ti­at­ing a new con­nec­tion? There are sim­ple rules that all oper­at­ing sys­tems have to fol­low:

Steps to deter­mine the out­go­ing (source) IPv6 address, until a tiebreak­er is found:


  1. Use the address from the same Scope or Type (Link-Local, Glob­al).
  2. Use the small­est pos­si­ble Scope.
  3. pre­ferred (non-dep­re­cat­ed) address is used.
  4. A tran­si­tion­al address (ISATAP, 6to4) is not used, if native IPv6 address­es are avail­able.
  5. Pre­fer the Source-Des­ti­na­tion pair with longest Pre­fix (/127 vs, /64).
  6. Pre­fer the address on the out­go­ing inter­face.

Thank You

Thank you for attend­ing the Orig­i­nal IPv6 Foun­da­tion Mas­ter Class! You can book­mark this site to use it as a quick ref­er­ence in case you need to re-read some­thing and you can share this page to social media and your friends and col­leagues. Stay tuned to this blog for more in-depth sto­ries like this one.

Rec­om­mend­ed Resources for addi­tion­al read­ing

Apart from the links through­out this course I rec­om­mend the fol­low­ing resources for addi­tion­al infor­ma­tion:

  1. The Inter­net Soci­ety (ISOC) IPv6 Por­tal
  2. Test your IPv6 con­nec­tiv­i­ty on test-ipv6.com
  3. The offi­cial IANA list of assigned IPv6 address space is very inter­est­ing
  4. The Google IPv6 deploy­ment sta­tis­tics
  5. The RIPE NCC IPv6 work­ing group and mail­ing list

Book rec­om­men­da­tions on IPv6

I can rec­om­mend the fol­low­ing 3 books (Ama­zon refer­ral links) which I enjoyed read­ing:

This con­cludes IPv6 Foun­da­tion Part 5: IPv6 Con­fig­u­ra­tion, EUI-64, SLAAC & Dual Stack of the orig­i­nal IPv6 Foun­da­tion Mas­ter Class.

Pre­vi­ous Part: IPv6 Foun­da­tion Part 4: ICMPv6 & IPv6 Neigh­bor­ships

Next Part: IPv6 Foun­da­tion Part 6: IPv6 DHCP (DHCPv6)

Share this post

Share on pocket
Share on reddit
Share on facebook
Share on twitter
Share on linkedin
Share on xing