Monday, November 16, 2015

Slaac-ing Off

IPv6 SLAAC

by Craig Miller

IPv6  Auto Magic

Slaacer is a good thing
20 years ago when IPv6 was being standardized, the IPv4 world was busy statically defining addresses on every machine. This was becoming a burden to network administrators, and it was quickly becoming a problem of scale. DHCPv4 hadn't been invented yet.

Back in 1996, the IPv6 authors created a method by which devices on the network could auto-magically create a valid global routable address using SLAAC (StateLess Address Auto Config, RFC 4862). By using SLAAC, all hosts on a network could, without network administrators help, get on the internet.

Two halves of SLAAC

Because the simplification of subnet masking in IPv6 (everything is a /64, see Simplifying Subnetting) the address can be split in half, with the left (MSB) being the network portion of the address, and the right (LSB) being the host portion. 

Host Part

Let's start with the right half, the host portion. Since on a subnet, or broadcast domain (if you thinking IPv4), all MAC addresses must be unique, the IPv6 authors use this to create the host portion of the address. First the 48 bit MAC address is converted to a 64 bit number, or EUI-64, by inserting FFFE in the middle. For example a MAC address is: 60:21:c0:e0:8f:0a, would become: 6021:c0ff:fee0:8f0a. Then the last step in this transformation is to flip the universal/local bit (bit position 7, see RFC 2373 Appendix A) which results in: 6221:c0ff:fee0:8f0a. This host portion is not only used in the global routable SLAAC address, but also in the link-local address.

Network Part

The left half, or network portion is easier. When the network is defined on the router, the router will send out a router advertisement (RA) which will include the network prefix for that subnet. There is more to the RA, such as the M & O bits, but I'll cover that in a later post. Using tcpdump, a typical RA looks like:
15:12:21.640794 fe80::2a0:a512:85:2940 > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 48
    hop limit 64, Flags [none], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s
    prefix info option (3), length 32 (4): 2607:c000:8000:8b93::/64, Flags [onlink, auto], valid time 2592000s, pref. time 604800s

On the Internet

The host, hears the RA, and forms a full 128 bit global routable address by prepending the advertised prefix to the host portion (lower 64 bits). And magically, the host is ready to use the internet!

OK, that was a bit simplified somewhat. There is DAD (Duplicate Address Detection, RFC 4862) which has to happen, but since as we have seen above, the IPv6 address is formed from the MAC address, it should be unique. If it isn't, DAD will figure that out, and create a unique host portion of the address, and then boom! you are on the internet.

Global Auto-configuration

As you can see a key difference from IPv4 is that a host can get a global address without user, or network administrator intervention. But you might ask, what about auto-configuration in IPv4, the 169.254.0.0/16 address (RFC 3927)? This is different in two key ways:
  •  IPv6 SLAAC predates ipv4 auto-config, which was inspired by IPv6 SLAAC
  • It is not a global routable address, but used more on-link communication when a DHCPv4 server is not available

The Network is in charge

Sun Microsystems (now part of Oracle) used to have a marketing phrase, "The Network is the Computer." IPv6 creators, took this to heart, and much of IPv6 is controlled by the network, specifically, the RA (Router Advertisement). This architecture creates great power in the Network Administrator's hands. If a subnet must be renumbered, it is as simple as changing the prefix in the RA, all hosts will pick up the new prefix, and generate new global addresses.

SLAAC Evolving

SLAAC continues to evolve. Privacy concerns about using the same global address (without NAT) were raised, and SLAAC temporary addresses (RFC 4941) were created to address this issue, and is widely deployed in OSs. A newer standard which has yet to see wide deployment is attempting to address the privacy issue, while creating a stable (non-changing, and not tied to the MAC) address (RFC 7217), which will make it easier for firewall (ACL, Access Control Lists) configuration.


SLAAC Auto-magical

SLAAC auto-magic continues to make getting on the internet easy, nearly 20 years later. Address auto-magic is good, making your transition to IPv6 even easier.


No comments:

Post a Comment