Monitoring IPv6 with Wireshark

New Dust with Old Brooms

Communicating with the Rest of the World

A Global Unicast Address (GUA) corresponds to a public address in the IPv4 world. Such an address is routable, accessible from outside the local network, and rarely used for communication within a network. A host can have up to six different GUAs on the same network and an almost infinite number of GUAs on different networks. A GUA covers the address range from 2000:: /3 to 3FFE:: /3 .

A GUA can be activated using one of the following address configuration methods:

  • Manual: An IPv6 address is manually assigned on the host.
  • Stateless Address Auto Configuration (SLAAC): The host takes the network prefix from the RA message and then creates two GUAs with two different host IDs.
  • Stateless Dynamic Host Configuration Protocol (DHCPv6): Like SLAAC, but the host receives additional information (such as DNS and NTP) from a DHCPv6 server.
  • Stateful DHCPv6: The RA message does not contain a corresponding prefix. For this reason, the host sends a request to detect a DHCPv6 server and prompts the recipients to submit appropriate GUA addresses and configurations.
  • Combination: A host receives the GUA addresses using SLAAC and Stateful DHCPv6 methods. This can cause the host to receive too many IP addresses.

To achieve an IPv6 address mindset, IT managers need to free themselves from all IPv4 ballast and strictly follow the IPv6 rules.

Stateless Allocation of IPv6 Addresses

In contrast to the IPv4 protocol, where all address configurations are carried out manually or semi-automatically via DHCP, IPv6 attaches particular importance to automatic configuration of the networks. Automatic configuration can be either stateful or stateless.

Each node on the IPv6 network can discover the necessary configuration parameters of the network interfaces from a router installed on the same network. The routers send the RA messages to the network cyclically (normally every 600 seconds) or on request. RA messages carry the information required for independent computer (end node) configuration.

If a router sends an RA message to the network after an internal timer has expired, the multicast address FF02::1 (all nodes multicast address) is always used as the target address. This approach ensures that all network nodes automatically receive this information. When router discovery messages are transmitted, a value of 1 is entered in the hop limit field of the IP header. This prevents this message from being transmitted to other networks via routers.

The M bit (Managed Address Configuration Flag) indicates the type of address configuration. A value of 1 means that stateful address configuration (via DHCP) is used. A value of 0 in the M bit indicates stateless address configuration. If the O flag has a value of 1, the router is saying that, although the IP address can be automatically and statelessly created from the ICMP packet with the prefix, the terminal device must obtain additional information via DHCP. And by setting a 1 in the H bit, the router indicates that it can also act as a home agent for mobile IPv6 nodes.

The lifetime is the validity period of the information transmitted by the router and is specified in seconds. The 16-bit integer value thus enables a maximum validity of 18.2 hours. A default router is only a default router if it has a lifetime value. If the lifetime value is 0, the information from the packet can be used, but the router cannot act as a default router for other networks. If the validity period expires without a new ICMP packet being received from this router, the computer has to remove the router from its routing table.

The Reachable Time (in milliseconds) indicates how long a computer is considered reachable after an availability message has been received. This value is used by the Neighbor Unreachability Detection algorithm. The Retransmit Timer specifies how many milliseconds a computer should wait after a NS message before sending it again. This value is also required by the Neighbor Unreachability detection algorithm.

The packet can contain additional options, such as values for the MTU, the hardware address of the router, or possible prefixes for stateless autoconfiguration.

RS messages are sent by machines that configure a new interface and do not want to wait for automatic announcements. The computer then asks the router to immediately send a response packet. Explicit requests are always sent to the link local address of the requesting node. If a terminal device now wants to construct its own IP address from the information in the router messages, it must proceed as follows:

  • If a device receives RA messages on one of the interfaces that contain a suitable prefix, the interface can form its IP address by combining the prefix with the local hardware address.
  • Since the prefix supplied by the router is unique on the Internet and the local hardware address on the LAN is considered unique, the two parts always result in a unique IP address.
  • Even if no router propagates a suitable prefix, a computer can always generate a unique IP address. In this case, the prefix FE80:: in conjunction with the hardware address describes a unique IPv6 address for the local network (link local).

One advantage of this method is that smaller networks can be put into operation without any previous planning overhead. However, activating DAD is a prerequisite for the correct function of stateless addressing. The task of this function is to detect or prevent duplicate addresses. DAD must therefore be performed by each device after selecting an address. During autoconfiguration, a device may only select addresses that have not yet been assigned.

For larger networks, however, there is still a lack of well-founded practical experience regarding the use of stateless IPv6 addresses. Also, nothing is currently known about the quality of the implementations of the address discovery and DAD functions. In addition, dynamic allocation of IPv6 addresses makes the task of documenting the networks, the computers connected to them, and their specific configurations considerably more difficult. This results in increased overhead for troubleshooting. And in the case of autoconfiguration of stateless addresses, the terminal devices assign themselves addresses for which no records are kept. Since autoconfiguration does not consider information relating to hosts, domain names, DNS, or NTP servers, it can or must be supplemented by the use of a DHCPv6 server.

Stateful Address Assignment and DHCPv6

The stateful autoconfiguration model is based on the fact that the computer downloads addresses and, if required, other configurations and parameters from a server set up on the network. The administrator stores and maintains the configuration data on this server. With the help of a stateful autoconfiguration protocol, the computer downloads its IP addresses and other configuration parameters via the network. This form of autoconfiguration is always used when the network operator needs an exact assignment of addresses to interfaces.

DHCPv6 is the stateful autoconfiguration protocol. DHCPv6 is based on the basic specifications defined in RFC 1541 for use with IPv4 computers. For IPv6 networks, the DHCP protocol was extended to cover the special requirements and a multitude of additional functions were added. The DHCP protocol gives a network administrator the ability to centrally manage and maintain all TCP/IP configuration parameters. So DHCP is an approach to building a plug-and-play TCP/IP network.

The advantage of this approach lies in the experience that IT managers have with DHCP, which has been deployed in production operations with IPv4 for years.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Wireshark

    Troubleshoot network problems with this popular protocol analyzer.

  • Detecting and analyzing man-in-the-middle attacks
    Wireshark and a combination of tools comprehensively analyze your security architecture.
  • IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
  • Autoconfiguring IPv6 Clients

    Most clients on a network need both an address and some environmental information such as a name server or a web proxy. This article investigates whether a recent operating system on an IPv6-only LAN can handle this.

  • Neglected IPv6 Features

    IPv6 is establishing itself in everyday IT life, and all modern operating systems from Windows, through Mac OS X, to Linux have it on board; but if you let IPv6 introduce itself into your environment, you could be in for some unpleasant surprises.

comments powered by Disqus