host-identifier with IPv6

David Farmer farmer at umn.edu
Tue Mar 3 16:39:25 UTC 2009 

On 3 Mar 2009 David Farmer wrote:

> On 3 Mar 2009 Chuck Anderson wrote: 
> 
> > On Tue, Mar 03, 2009 at 02:19:33AM -0600, David Farmer wrote: 
> > > The following is my IPv6 link local address, fe80::208:74ff:fe24:ac0a, my 
> > > mac address is 0008:7424:ac0a, this is the simple transformation defined in 
> > > RFC 2464. Therefore a DHCP server can be assured to get the EUI-64 
> > > version of the MAC address. Transforming that back to a 48-bit MAC and 
> > > allowing operations in the DHCP server based on the MAC address should 
> > > be possible without modification of DHCPv6 clients or DHCPv6 relay agents. 
> > 
> > > 64 address rather than leaving it up to the client through SLAAC to use its 
> > > EUI-64 or a privacy address. 
> > 
> > What about clients using privacy addressing (RFC 3041)? It isn't 
> > clear to me from reading the RFC if this affects link local addresses, 
> > but if it does, they won't have a MAC address embedded in their link 
> > local address. 
> 
> I haven't seen any implementations of RFC 3041 that use privacy extensions on 
> the link local address, but I haven't exhaustively looked either. I'll note that RFC 
> 3041 is an extension to SLAAC, which technically occurs after the link local 
> address is assigned and uses the link local address to communicate with the 
> local routers. Also, in my quick reread of RFC 3041, it seems to be limited to 
> "global-scoped addresses" 
> 
> But, I agree, I don't technically see any reason that you couldn't use RFC 3041 
> like privacy for a link local address, and that would break this assumption. But, I 
> think it is a valid assumption, at least for now. If that changes in the future, I 
> think I'm ok with that. I see this as a short-term crutch. Longer term, we all need 
> retool and redo our processes and procedures to move to DUIDs. I do like some 
> of the ideas behind DUIDs. But, asking everyone to do that now, just creates a 
> barrier to adoption of IPv6. And as I said in another post, we have enough of 
> those already. 

It looks like Vista by default uses a random address even for 
link local. GRRR!  You can turn it off that feature, but this 
needs to work no matter how a host is configured.  

Anyone know if it is more than just Vista that uses a random 
link local address?

Anyone know if you can do a group policy or something of the 
kind to turn-off the random link local address?  Maybe you can 
use IPv4 connectivity to get IPv6 configured correctly.

If that works you could refuse to give out an IPv6 address from 
the DHCPv6 server unless you have a EUI-64 based link local 
address, with "FF:FE" is not in the middle two nibbles.

Another option from the DHCPv6 server side; Maybe you look 
at the link local address first.  If you can't get the MAC address 
there, then try to decode the DUID for the MAC address.  I 
know it violates the RFC where it says the DUID is suppose to 
be opaque, but I'm not sure there is much of a choice here.  If 
both fail, then maybe don't give out an IPv6 address.

I think we need these kind of options, I don't think any of this 
should be the default behavior.  But a MAC address based 
option is absolutely necessary in the short run for most 
campuses. 

--------------
Q. How is the link-local address derived?

A. The link-local address is a combination of the link local 
prefix FE80::/64 and a 64-bit IPv6 interface identifier (ID).

In Windows XP and Windows Server 2003, the IPv6 interface 
ID is derived from the Extended Unique Identifier (EUI)-64 
address. The EUI-64 address is either assigned to a network 
adapter or derived from the 48-bit media access control (MAC) 
address of a network adapter. To create the EUI-64 address 
from the 48-bit (6-byte) Ethernet MAC address, the hex digits 
0xff-fe are inserted between the third and fourth bytes of the 
Ethernet MAC address.

For example, for the MAC address 00-60-08-52-f9-d8, the hex 
digits 0xff-fe are inserted between 0x08 (the third byte) and 
0x52 (the fourth byte) of the MAC address, forming the EUI-64 
address 00-60-08-ff-fe-52-f9-d8.

To obtain an IPv6 interface identifier from an EUI-64 address, 
the Universal/Local bit, the second low-order bit of the first byte 
of the EUI-64 address, is complemented (if it is a 1, it is turned 
to 0, and if it is a 0, it is turned to 1). For example, for the EUI-
64 address of 00-60-08-ff-fe-52-f9-d8, the second low-order bit 
of 0x00 is 0, which, when complemented, becomes a 1. The 
result is that for the first byte, 0x00 becomes 0x02. Therefore, 
the IPv6 interface identifier corresponding to the EUI-64 
address of 00-60-08-ff-fe-52-f9-d8 (corresponding to the 
Ethernet media access control address of 00-60-08-52-f9-d8) 
is 02-60-08-ff-fe-52-f9-d8.

Because the link-local address is the combination of the prefix 
FE80::/64 and the 64-bit interface identifier expressed in IPv6 
colon-hexadecimal notation, the link-local address of this 
example node, with the prefix FE80::/64 and the interface 
identifier 02-60-08-ff-fe-52-f9-d8, is fe80::260:8ff:fe52:f9d8.

In Windows Vista and Windows Server 2008, the interface ID 
by default is randomly derived, rather than based on the EUI-
64 address. You can disable random interface IDs with the 
netsh interface ipv6 set global randomizeidentifiers=disabled 
command or enable random interface IDs with the netsh 
interface ipv6 set global randomizeidentifiers=enabled 
command.



================================================
=======
David Farmer				     Email:	
farmer at umn.edu
Office of Information Technology
Networking & Telecomunication Services
University of Minnesota			     Phone:	612-626-
0815
2218 University Ave SE			     Cell:		
612-812-9952
Minneapolis, MN 55414-3029		     FAX:	612-626-
1818
================================================
=======

More information about the dhcp-users mailing list