3.1.b (iv) Autoconfig/SLAAC, temporary addresses (RFC4941)

Posted byvektorprime Leave a comment on 3.1.b (iv) Autoconfig/SLAAC, temporary addresses (RFC4941)

3.1.b (iv) Autoconfig/SLAAC, temporary adresses (RFC4941)

 

IPv6 Stateless Address Autoconfiguration (SLAAC)
Utilizes 2 ICMPv6 messages to communicate the prefix to clients:
Router solicitation
Router advertisement
note: Review the 3.1.b (iii) for a more indepth look at these messages

These basically allow our host to communicate to the router and then learn the global ipv6 address such that we can now use EUI64 to generate a the rest of the unique global address.

All we need for this is to have a router on the segment with an address, and then we enable ipv6 address autoconfig on our host router.

img 5ac0238cc531f

R1:

en
conf t
ipv6 unicast-routing
int g0/1
ipv6 address 2002::9999:2/64
no shut

R2:

conf t
ipv6 unicast-routing
int g0/1
ipv6 address autoconfig
no shut

On real hosts like clients, enabling the IPv6 protocol is enough for them to initiate these router solicitation and begin the autoconfig process.

Here’s the process of how the autoconfig works for R2:
1.R2 will send a router solicitation sourced from his link local address out to the lan
2. R1 will see this message and send back a router advertisement with the prefix to use
3. R2 will create an address via the prefix + EUI 64 (48 bits of mac + FFFE in the middle, + 7th bit flipped)
4. R2 will send out a neighbor solicitation for duplicate address detection (DAD)
5. Finally R2 will send a neighbor advertisement of his address which is equivalent to a gratuitous arp

Temporary Addresses:

What issue was quickly identified with using SLAAC and EUI64?
An end user’s device could be tracked accross multiple internet service providers because they would always generate the same EUI64 address.

RFC4941, or temporary addresses or privay addresses is a technique to NOT use the MAC address of your computer for the IPv6 address in SLAAC.

Temporary addresses use 64 bits from an MD5 hash to generate a unique address. These addresses expire and are changed often (average of once a day) on a system so it’s not uncommon to see multiple IPv6 addresses on a system.

RFC4941 relies on IPV6’s DAD mechanism for avoiding duplicate addresses.

This feature is usually enabled by default on windows, linux, and mac.

Source for temporary addresses:
https://www.ipsidixit.net/2012/08/09/ipv6-temporary-addresses-and-privacy-extensions/

Leave a comment