Re: DHCPv6

[Kurt Buff]

Set a startup script to randomly generate a MAC address. That would
take, what, a few minutes?

Kurt

On Tue, Jul 13, 2010 at 13:19, Crawford, Scott  wrote:
> Hmmm...is it though?  It's certainly not very hard, but I wouldn't say it's 
> easy enough for me to change it on a regular basis or for every site I visit.
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, July 13, 2010 2:56 PM
> To: NT System Admin Issues
> Subject: Re: DHCPv6
>
> On Tue, Jul 13, 2010 at 07:16, Ben Scott  wrote:
>> On Tue, Jul 13, 2010 at 7:03 AM, Andrew S. Baker  wrote:
>>> On Tue, Jul 13, 2010 at 6:58 AM, Ben Scott  wrote:
>>>> With IPv6, the DHCP server *could* configure its own address via SLAAC, and
>>>> then just hand out DHCP options (like DNS servers) when asked.
>>>
>>> True, but it's all too easy to setup the first address ...
>>
>>  Oh, I'm not saying it would be a good idea to do that.  Note that
>> doesn't mean I'm saying it *wouldn't* be a good idea, either.  Myself,
>> I'm talking purely theory at this point.  I don't know enough about
>> IPv6 to start advocating any particular practice, and I expect IPv6
>> hasn't seen enough real-world usage to have really solid best
>> practices in the first place.
>>
>>  But I would be surprised if there aren't some factions which
>> advocate SLAAC for *all* hosts no matter what.
>>
>>  Then there are those who fear SLAAC because it puts an identifier
>> which could potentially follow you anywhere in the world in your IP
>> address (your NIC's MAC address).
>>
>> -- Ben
>
> It's easy enough to change your MAC address...
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: DHCPv6

[Phil Brutsche]

Those concerns have not been ignored. RFC 4941.

All versions of Windows that support IPv6 support also have some sort of
privacy extensions turned on by default. Vista and newer use temporary
IPv6 addresses (generated from some randomized identifier) that recycle
themselves every so often.

On 7/13/2010 9:16 AM, Ben Scott wrote:
>   Then there are those who fear SLAAC because it puts an identifier
> which could potentially follow you anywhere in the world in your IP
> address (your NIC's MAC address).

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DHCPv6

[Crawford, Scott]

Hmmm...is it though?  It's certainly not very hard, but I wouldn't say it's 
easy enough for me to change it on a regular basis or for every site I visit.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, July 13, 2010 2:56 PM
To: NT System Admin Issues
Subject: Re: DHCPv6

On Tue, Jul 13, 2010 at 07:16, Ben Scott  wrote:
> On Tue, Jul 13, 2010 at 7:03 AM, Andrew S. Baker  wrote:
>> On Tue, Jul 13, 2010 at 6:58 AM, Ben Scott  wrote:
>>> With IPv6, the DHCP server *could* configure its own address via SLAAC, and
>>> then just hand out DHCP options (like DNS servers) when asked.
>>
>> True, but it's all too easy to setup the first address ...
>
>  Oh, I'm not saying it would be a good idea to do that.  Note that
> doesn't mean I'm saying it *wouldn't* be a good idea, either.  Myself,
> I'm talking purely theory at this point.  I don't know enough about
> IPv6 to start advocating any particular practice, and I expect IPv6
> hasn't seen enough real-world usage to have really solid best
> practices in the first place.
>
>  But I would be surprised if there aren't some factions which
> advocate SLAAC for *all* hosts no matter what.
>
>  Then there are those who fear SLAAC because it puts an identifier
> which could potentially follow you anywhere in the world in your IP
> address (your NIC's MAC address).
>
> -- Ben

It's easy enough to change your MAC address...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: DHCPv6

[Kurt Buff]

On Tue, Jul 13, 2010 at 07:16, Ben Scott  wrote:
> On Tue, Jul 13, 2010 at 7:03 AM, Andrew S. Baker  wrote:
>> On Tue, Jul 13, 2010 at 6:58 AM, Ben Scott  wrote:
>>> With IPv6, the DHCP server *could* configure its own address via SLAAC, and
>>> then just hand out DHCP options (like DNS servers) when asked.
>>
>> True, but it's all too easy to setup the first address ...
>
>  Oh, I'm not saying it would be a good idea to do that.  Note that
> doesn't mean I'm saying it *wouldn't* be a good idea, either.  Myself,
> I'm talking purely theory at this point.  I don't know enough about
> IPv6 to start advocating any particular practice, and I expect IPv6
> hasn't seen enough real-world usage to have really solid best
> practices in the first place.
>
>  But I would be surprised if there aren't some factions which
> advocate SLAAC for *all* hosts no matter what.
>
>  Then there are those who fear SLAAC because it puts an identifier
> which could potentially follow you anywhere in the world in your IP
> address (your NIC's MAC address).
>
> -- Ben

It's easy enough to change your MAC address...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Andrew S. Baker]

I'm going to test this out again this week (hopefully).

 I did all of this back in December, but I don't remember if I actually had
to set a static IPv6 address before my DHCP server started working, or if I
manually set it because I wanted to control the range of addresses.

-ASB: http://XeeSM.com/AndrewBaker


On Tue, Jul 13, 2010 at 10:21 AM, Ben Scott  wrote:

> On Tue, Jul 13, 2010 at 7:57 AM, Jason Gauthier 
> wrote:
> > I need to assign a static address to the server.  As far as I can tell,
> that
> > is against SLAAC, and everything else IPv6 is supposed to make easy.
> > There might be a reason.  I haven't uncovered it.
>
>   Going with "path of lease resistance" as human nature, I would
> speculate that one possible reason the MS DHCP server wants a static
> IPv6 address is because it's based on the DHCPv4 code which assumes a
> static IP address.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Ben Scott]

On Tue, Jul 13, 2010 at 7:57 AM, Jason Gauthier  wrote:
> I need to assign a static address to the server.  As far as I can tell, that
> is against SLAAC, and everything else IPv6 is supposed to make easy.
> There might be a reason.  I haven't uncovered it.

  Going with "path of lease resistance" as human nature, I would
speculate that one possible reason the MS DHCP server wants a static
IPv6 address is because it's based on the DHCPv4 code which assumes a
static IP address.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Richard Stovall]

On Tue, Jul 13, 2010 at 10:16 AM, Ben Scott  wrote:

>
>  But I would be surprised if there aren't some factions which
> advocate SLAAC for *all* hosts no matter what.
>

SLAACkers...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Ben Scott]

On Tue, Jul 13, 2010 at 7:03 AM, Andrew S. Baker  wrote:
> On Tue, Jul 13, 2010 at 6:58 AM, Ben Scott  wrote:
>> With IPv6, the DHCP server *could* configure its own address via SLAAC, and
>> then just hand out DHCP options (like DNS servers) when asked.
>
> True, but it's all too easy to setup the first address ...

  Oh, I'm not saying it would be a good idea to do that.  Note that
doesn't mean I'm saying it *wouldn't* be a good idea, either.  Myself,
I'm talking purely theory at this point.  I don't know enough about
IPv6 to start advocating any particular practice, and I expect IPv6
hasn't seen enough real-world usage to have really solid best
practices in the first place.

  But I would be surprised if there aren't some factions which
advocate SLAAC for *all* hosts no matter what.

  Then there are those who fear SLAAC because it puts an identifier
which could potentially follow you anywhere in the world in your IP
address (your NIC's MAC address).

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DHCPv6

[Jason Gauthier]

It just seems counter intuitive that I do not need to assign static
addresses on my routers, but I do on a DHCP server.  It receives
multicast addresses, and it should respond to multicast addresses...
it's assigned address shouldn't matter (to me)

-Original Message-
From: Phil Brutsche [mailto:p...@optimumdata.com] 
Sent: Tuesday, July 13, 2010 1:51 AM
To: NT System Admin Issues
Subject: Re: DHCPv6

Why? It's not any different from the static IP requirements in IPv4
networks.

On 7/12/2010 9:18 PM, Jason Gauthier wrote:
> Well, after diligence and testing... I've solved this.  Windows 2008
> DHPCv6 will not work reliably without having a */_static_/* IPv6 
> address assigned to it.
> 
> I have not decided how I feel about that yet. 

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: DHCPv6

[Jason Gauthier]

Yes, but DHCP doesn't auto assign itself a useable network address, so
it's not very comparative.

 

From: Jon Harris [mailto:jk.har...@gmail.com] 
Sent: Tuesday, July 13, 2010 12:50 AM
To: NT System Admin Issues
Subject: Re: DHCPv6

 

DHCP v4 needed the same thing as well did it not???  Only issue I had
was getting former work place higher up the ladder to issue us IP v6
ranges.  They did not want to issue any due to security issues.

 

Jon

On Mon, Jul 12, 2010 at 10:18 PM, Jason Gauthier 
wrote:

Well, after diligence and testing... I've solved this.  Windows 2008
DHPCv6 will not work reliably without having a static IPv6 address
assigned to it.

I have not decided how I feel about that yet.  

 

From: Jason Gauthier 
Sent: Friday, July 09, 2010 3:12 PM 


To: NT System Admin Issues

Subject: DHCPv6 

 

Greetings,

 

I'm struggling with an issue with DHCPv6.   I'm using this, effectively,
as stateless.   I have a Cisco router set up to multicast router
advertisements.  It is doing so successfully, setting the options
"Managed" to false, and "Other" to true.

 

I have confirmed through network traces and Windows 7 DHCPv6 event logs
that it is receiving the announcements, and setting the options
correctly.

 

This is working good!

 

Now, here comes the part that I'm struggling with.  Once the options are
set, the client machine should (and does) poll for DHCPv6 options only.

Again, I've confirmed though network traces that this is happening
successfully.

 

15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
fe80::188b:8ff9:305c:71a3.546 > ff02::1:2.547: [udp sum ok] dhcp6
solicit (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1
time 316484303 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client
FQDN) (vendor class) (option request DNS name DNS vendor-specific info
Client FQDN).

 

My DHPCv6 server (running netmon) can definitely see the multicast
requests sent to FF02:0:0:0:0:0:2:1.  However, it doesn't respond,
acknowledge, or otherwise seem to care.

 

Options 23 (DNS Recursive Name) and options 24 (Domain Search List) are
set.  

 

I have done this on two different networks, two different DHCPv6
servers.  Neither of them responds. Even the statistics do not count up
that there was a solicit message.

 

I am intending to open a ticket with MS, but sasupport seems to be
non-functional for me at the moment.

 

So, I thought I would ask here.   All my clients are Windows 7/2008R2,
and my two servers are 2008 R2.

 

Thanks for reading.

 

Jason

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: DHCPv6

[Jason Gauthier]

SLAAC can operate under two models.  1) It will generate based on the
hardware MAC address. 2) It will generate based on "some other token".

Microsoft uses "Some other token".  So, there shouldn't be a conflict
with MAC addresses under that platform.


-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Tuesday, July 13, 2010 12:06 AM
To: NT System Admin Issues
Subject: RE: DHCPv6

So SLAAC will only work if you have unique MAC addresses?

If you use Hyper-V, then the pool of MAC addresses assigned to the
guests is based off a pool generated from the host's IP address. If you
build servers in a build factory, then you'll end up with duplicate MAC
addresses for your guests.

Cheers
Ken

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Tuesday, 13 July 2010 11:00 AM
To: NT System Admin Issues
Subject: Re: DHCPv6

On Mon, Jul 12, 2010 at 10:29 PM, Kurt Buff  wrote:
> No familiarity with DHCPv6, so an ignorant question...

  This is currently the subject of holy wars on forums such as NANOG.

  An IPv6 node can discover the network number, network mask, and local
routers by using router solicitation.  This is part of the core IP
protocol, and in theory should be part of every implementation.
The IPv6 node can then use its MAC address to generate a unique address
on the local network (this is called SLAAC (StateLess Address
Auto-Configuration)).  So an IPv6 node can get a working network layer
on any network, without DHCPv6.

  However, you still need DHCPv6 to find out things like DNS servers.
So SLAAC is only good for layer 3, not for higher layer stuff.

  This has lead to a feud between those who think IPv6 address
assignment should work just like IPv4 -- via DHCP -- since that's what
everyone's infrastructure is built around, and thus SLAAC is just a
waste of resources, vs those who think addresses should come from SLAAC
and DHCPv6 should only be used to discover higher layer stuff.
Implementations behave according to which armed camp they align with.

  Things haven't shaken out yet.  Until they do, I expect IPv6
client-vs-network interoperability (i.e., "How do I configure my pee sea
for your net work?") to be a clusterfsck.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: DHCPv6

[Jason Gauthier]

I need to assign a static address to the server.  As far as I can tell, that is 
against SLAAC, and everything else IPv6 is supposed to make easy.
There might be a reason.  I haven't uncovered it.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, July 12, 2010 10:29 PM
To: NT System Admin Issues
Subject: Re: DHCPv6

No familiarity with DHCPv6, so an ignorant question...

What needs the static address assigned? Is it the machine handing out 
addresses, or the machine receiving the assignment?

And, if the former, why would that be an issue? I would think it pretty much a 
requirement.

I *did* just go to a computer user group in Seattle that had a presentation on 
IPv6, but aside from the fact that it allows for more addresses than we can 
count, and a few other tidbits like getting started with tunneling, it wasn't 
all that informative.

For instance, he did not deal with issues like whether segmenting networks as 
we do now inside the enterprise at the layer2 and layer3 boundaries is still an 
issue in a pure IPv6 environment - I think that was beyond his experience.

Kurt

On Mon, Jul 12, 2010 at 19:18, Jason Gauthier  wrote:
> Well, after diligence and testing… I’ve solved this.  Windows 2008 
> DHPCv6 will not work reliably without having a static IPv6 address assigned 
> to it.
>
> I have not decided how I feel about that yet.
>
>
>
> From: Jason Gauthier
> Sent: Friday, July 09, 2010 3:12 PM
> To: NT System Admin Issues
> Subject: DHCPv6
>
>
>
> Greetings,
>
>
>
> I’m struggling with an issue with DHCPv6.   I’m using this, 
> effectively, as stateless.   I have a Cisco router set up to multicast 
> router advertisements.  It is doing so successfully, setting the options 
> “Managed”
> to false, and “Other” to true.
>
>
>
> I have confirmed through network traces and Windows 7 DHCPv6 event 
> logs that it is receiving the announcements, and setting the options 
> correctly.
>
>
>
> This is working good!
>
>
>
> Now, here comes the part that I’m struggling with.  Once the options 
> are set, the client machine should (and does) poll for DHCPv6 options only.
>
> Again, I’ve confirmed though network traces that this is happening 
> successfully.
>
>
>
> 15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
> fe80::188b:8ff9:305c:71a3.546 > ff02::1:2.547: [udp sum ok] dhcp6 
> solicit
> (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1 time 
> 316484303
> 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client FQDN) (vendor 
> class) (option request DNS name DNS vendor-specific info Client FQDN).
>
>
>
> My DHPCv6 server (running netmon) can definitely see the multicast 
> requests sent to FF02:0:0:0:0:0:2:1.  However, it doesn’t respond, 
> acknowledge, or otherwise seem to care.
>
>
>
> Options 23 (DNS Recursive Name) and options 24 (Domain Search List) 
> are set.
>
>
>
> I have done this on two different networks, two different DHCPv6 servers.
> Neither of them responds. Even the statistics do not count up that 
> there was a solicit message.
>
>
>
> I am intending to open a ticket with MS, but sasupport seems to be 
> non-functional for me at the moment.
>
>
>
> So, I thought I would ask here.   All my clients are Windows 7/2008R2, 
> and my two servers are 2008 R2.
>
>
>
> Thanks for reading.
>
>
>
> Jason
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: DHCPv6

[Andrew S. Baker]

True, but it's all too easy to setup the first address, and it makes it much
more deterministic.  After all, you're right there setting the DHCP server
options.  It's not going to kill you to add one more item (static IPv6
address), especially when said device is probably sporting a static IPv4
address for the same reason.

It's a good idea to go out and register your own IPv6 address space, any
way.

http://www.sixxs.net/tools/grh/ula/


*ASB *(My XeeSM Profile) 
*Exploiting Technology for Business Advantage...*
* *
Signature powered by WiseStamp 



On Tue, Jul 13, 2010 at 6:58 AM, Ben Scott  wrote:

> On Tue, Jul 13, 2010 at 1:07 AM, Jon Harris  wrote:
> > I was only referring to the server needing a fixed address not any of the
> > clients.  I have always thought that you had to have at least some fixed
> > point to refer to when using DHCP that being the server or more correctly
> > the server's address.
>
>   So was I.  With IPv4, that's a practical requirement, because the
> only way[1] to get an address automatically is DHCP, and the DHCP
> server can't get its own IP address via DHCP.  Chicken-and-egg.  With
> IPv6, the DHCP server *could* configure its own address via SLAAC, and
> then just hand out DHCP options (like DNS servers) when asked.  Or at
> least, so I suppose.  I haven't read the RFCs.  :)
>
> [1] This is an over-simplification, but good enough for our purposes.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Ben Scott]

On Tue, Jul 13, 2010 at 1:07 AM, Jon Harris  wrote:
> I was only referring to the server needing a fixed address not any of the
> clients.  I have always thought that you had to have at least some fixed
> point to refer to when using DHCP that being the server or more correctly
> the server's address.

  So was I.  With IPv4, that's a practical requirement, because the
only way[1] to get an address automatically is DHCP, and the DHCP
server can't get its own IP address via DHCP.  Chicken-and-egg.  With
IPv6, the DHCP server *could* configure its own address via SLAAC, and
then just hand out DHCP options (like DNS servers) when asked.  Or at
least, so I suppose.  I haven't read the RFCs.  :)

[1] This is an over-simplification, but good enough for our purposes.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Andrew S. Baker]

Yes, this is how DHCP in IPv4 also works.  The difference is that there is
an extra mechanism for automatically generating IPv6 addresses beyond just
DHCP...


*ASB *(My XeeSM Profile) 
*Exploiting Technology for Business Advantage...*
* *
Signature powered by WiseStamp 


On Mon, Jul 12, 2010 at 10:18 PM, Jason Gauthier wrote:

> Well, after diligence and testing… I’ve solved this.  Windows 2008 DHPCv6
> will not work reliably without having a *static* IPv6 address assigned to
> it.
>
> I have not decided how I feel about that yet.
>
>
>
> *From:* Jason Gauthier
> *Sent:* Friday, July 09, 2010 3:12 PM
> *To:* NT System Admin Issues
> *Subject:* DHCPv6
>
>
>
> Greetings,
>
>
>
> I’m struggling with an issue with DHCPv6.   I’m using this, effectively, as
> stateless.   I have a Cisco router set up to multicast router
> advertisements.  It is doing so successfully, setting the options “Managed”
> to false, and “Other” to true.
>
>
>
> I have confirmed through network traces and Windows 7 DHCPv6 event logs
> that it is receiving the announcements, and setting the options correctly.
>
>
>
> This is working good!
>
>
>
> Now, here comes the part that I’m struggling with.  Once the options are
> set, the client machine should (and does) poll for DHCPv6 options only.
>
> Again, I’ve confirmed though network traces that this is happening
> successfully.
>
>
>
> *15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
> fe80::188b:8ff9:305c:71a3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit
> (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1 time 316484303
> 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client FQDN) (vendor class)
> (option request DNS name DNS vendor-specific info Client FQDN).*
>
>
>
> My DHPCv6 server (running netmon) can definitely see the multicast requests
> sent to FF02:0:0:0:0:0:2:1.  However, it doesn’t respond, acknowledge, or
> otherwise seem to care.
>
>
>
> Options 23 (DNS Recursive Name) and options 24 (Domain Search List) are
> set.
>
>
>
> I have done this on two different networks, two different DHCPv6 servers.
> Neither of them responds. Even the statistics do not count up that there was
> a solicit message.
>
>
>
> I am intending to open a ticket with MS, but sasupport seems to be
> non-functional for me at the moment.
>
>
>
> So, I thought I would ask here.   All my clients are Windows 7/2008R2, and
> my two servers are 2008 R2.
>
>
>
> Thanks for reading.
>
>
>
> Jason
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Phil Brutsche]

You aren't the only one, and unfortunately that is one of the reasons
why we are all screwed with the IPv4 -> IPv6 transition.

On 7/12/2010 11:37 PM, Kurt Buff wrote:
> I *knew* there was a reason I wasn't paying much attention to IPv6 yet...

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Phil Brutsche]

IPv6 isn't magic.

The more things change the more things stay the same.

You will still need to implement segmented networks in IPv6, for all the
same reason you do with IPv4.

On 7/12/2010 9:29 PM, Kurt Buff wrote:
> For instance, he did not deal with issues like whether segmenting
> networks as we do now inside the enterprise at the layer2 and layer3
> boundaries is still an issue in a pure IPv6 environment - I think that
> was beyond his experience.

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Phil Brutsche]

Why? It's not any different from the static IP requirements in IPv4
networks.

On 7/12/2010 9:18 PM, Jason Gauthier wrote:
> Well, after diligence and testing… I’ve solved this.  Windows 2008
> DHPCv6 will not work reliably without having a */_static_/* IPv6 address
> assigned to it.
> 
> I have not decided how I feel about that yet. 

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Jon Harris]

Yeah I know kind of convoluted but if you think about it it does make a bit
of sense.  Maybe only a bit though.

Jon

On Tue, Jul 13, 2010 at 1:07 AM, Jon Harris  wrote:

> I was only referring to the server needing a fixed address not any of the
> clients.  I have always thought that you had to have at least some fixed
> point to refer to when using DHCP that being the server or more correctly
> the server's address.  Now if we don't need DHCP at all and still get things
> like DNS for function correctly then we would not need a fixed reference
> point to work off of.
>
> It is kind of like where in 3 dimensional space is the earth.  Do we use
> the distance from our sun or from the core of the Milky Way as the point of
> origin.  We could use both but then we would need continually be
> recalculating position for everything to work and distances to be
> calculated.  Using a fixed reference point for objects in space makes it
> easier to find things without having to recompute angles and distances from
> fixed objects which would not be fixed unless we had some simple reference
> points in space to use.
>
> Jon
>
>   On Tue, Jul 13, 2010 at 12:55 AM, Ben Scott wrote:
>
>> On Tue, Jul 13, 2010 at 12:50 AM, Jon Harris  wrote:
>> >> Well, after diligence and testing… I’ve solved this.  Windows 2008
>> DHPCv6
>> >> will not work reliably without having a static IPv6 address assigned to
>> it.
>> >
>> > DHCP v4 needed the same thing as well did it not?
>>
>>  Sure, but IPv6 isn't IPv4.  The whole "stateless address" config
>> thing means that, in theory, every node can automagically configure
>> itself with a globally unique IP address without the need for DHCP at
>> all.  If you're a member of that church, DHCP just becomes a method
>> for nodes to discover things like DNS and mail servers.  There's no
>> reason I'm aware of that should have to be tied to a manually
>> configured address.
>>
>> -- Ben
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Jon Harris]

I was only referring to the server needing a fixed address not any of the
clients.  I have always thought that you had to have at least some fixed
point to refer to when using DHCP that being the server or more correctly
the server's address.  Now if we don't need DHCP at all and still get things
like DNS for function correctly then we would not need a fixed reference
point to work off of.

It is kind of like where in 3 dimensional space is the earth.  Do we use the
distance from our sun or from the core of the Milky Way as the point of
origin.  We could use both but then we would need continually be
recalculating position for everything to work and distances to be
calculated.  Using a fixed reference point for objects in space makes it
easier to find things without having to recompute angles and distances from
fixed objects which would not be fixed unless we had some simple reference
points in space to use.

Jon

On Tue, Jul 13, 2010 at 12:55 AM, Ben Scott  wrote:

> On Tue, Jul 13, 2010 at 12:50 AM, Jon Harris  wrote:
> >> Well, after diligence and testing… I’ve solved this.  Windows 2008
> DHPCv6
> >> will not work reliably without having a static IPv6 address assigned to
> it.
> >
> > DHCP v4 needed the same thing as well did it not?
>
>  Sure, but IPv6 isn't IPv4.  The whole "stateless address" config
> thing means that, in theory, every node can automagically configure
> itself with a globally unique IP address without the need for DHCP at
> all.  If you're a member of that church, DHCP just becomes a method
> for nodes to discover things like DNS and mail servers.  There's no
> reason I'm aware of that should have to be tied to a manually
> configured address.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Ben Scott]

On Tue, Jul 13, 2010 at 12:50 AM, Jon Harris  wrote:
>> Well, after diligence and testing… I’ve solved this.  Windows 2008 DHPCv6
>> will not work reliably without having a static IPv6 address assigned to it.
>
> DHCP v4 needed the same thing as well did it not?

  Sure, but IPv6 isn't IPv4.  The whole "stateless address" config
thing means that, in theory, every node can automagically configure
itself with a globally unique IP address without the need for DHCP at
all.  If you're a member of that church, DHCP just becomes a method
for nodes to discover things like DNS and mail servers.  There's no
reason I'm aware of that should have to be tied to a manually
configured address.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Jon Harris]

DHCP v4 needed the same thing as well did it not???  Only issue I had was
getting former work place higher up the ladder to issue us IP v6 ranges.
They did not want to issue any due to security issues.

Jon

On Mon, Jul 12, 2010 at 10:18 PM, Jason Gauthier wrote:

>  Well, after diligence and testing… I’ve solved this.  Windows 2008 DHPCv6
> will not work reliably without having a *static* IPv6 address assigned to
> it.
>
> I have not decided how I feel about that yet.
>
>
>
> *From:* Jason Gauthier
> *Sent:* Friday, July 09, 2010 3:12 PM
>
> *To:* NT System Admin Issues
> *Subject:* DHCPv6
>
>
>
> Greetings,
>
>
>
> I’m struggling with an issue with DHCPv6.   I’m using this, effectively, as
> stateless.   I have a Cisco router set up to multicast router
> advertisements.  It is doing so successfully, setting the options “Managed”
> to false, and “Other” to true.
>
>
>
> I have confirmed through network traces and Windows 7 DHCPv6 event logs
> that it is receiving the announcements, and setting the options correctly.
>
>
>
> This is working good!
>
>
>
> Now, here comes the part that I’m struggling with.  Once the options are
> set, the client machine should (and does) poll for DHCPv6 options only.
>
> Again, I’ve confirmed though network traces that this is happening
> successfully.
>
>
>
> *15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
> fe80::188b:8ff9:305c:71a3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit
> (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1 time 316484303
> 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client FQDN) (vendor class)
> (option request DNS name DNS vendor-specific info Client FQDN).*
>
>
>
> My DHPCv6 server (running netmon) can definitely see the multicast requests
> sent to FF02:0:0:0:0:0:2:1.  However, it doesn’t respond, acknowledge, or
> otherwise seem to care.
>
>
>
> Options 23 (DNS Recursive Name) and options 24 (Domain Search List) are
> set.
>
>
>
> I have done this on two different networks, two different DHCPv6 servers.
> Neither of them responds. Even the statistics do not count up that there was
> a solicit message.
>
>
>
> I am intending to open a ticket with MS, but sasupport seems to be
> non-functional for me at the moment.
>
>
>
> So, I thought I would ask here.   All my clients are Windows 7/2008R2, and
> my two servers are 2008 R2.
>
>
>
> Thanks for reading.
>
>
>
> Jason
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Kurt Buff]

On Mon, Jul 12, 2010 at 19:59, Ben Scott  wrote:
> On Mon, Jul 12, 2010 at 10:29 PM, Kurt Buff  wrote:
>> No familiarity with DHCPv6, so an ignorant question...
>
>  This is currently the subject of holy wars on forums such as NANOG.
>
>  An IPv6 node can discover the network number, network mask, and
> local routers by using router solicitation.  This is part of the core
> IP protocol, and in theory should be part of every implementation.
> The IPv6 node can then use its MAC address to generate a unique
> address on the local network (this is called SLAAC (StateLess Address
> Auto-Configuration)).  So an IPv6 node can get a working network layer
> on any network, without DHCPv6.
>
>  However, you still need DHCPv6 to find out things like DNS servers.
> So SLAAC is only good for layer 3, not for higher layer stuff.
>
>  This has lead to a feud between those who think IPv6 address
> assignment should work just like IPv4 -- via DHCP -- since that's what
> everyone's infrastructure is built around, and thus SLAAC is just a
> waste of resources, vs those who think addresses should come from
> SLAAC and DHCPv6 should only be used to discover higher layer stuff.
> Implementations behave according to which armed camp they align with.
>
>  Things haven't shaken out yet.  Until they do, I expect IPv6
> client-vs-network interoperability (i.e., "How do I configure my pee
> sea for your net work?") to be a clusterfsck.
>
> -- Ben

I *knew* there was a reason I wasn't paying much attention to IPv6 yet...

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Ben Scott]

On Tue, Jul 13, 2010 at 12:05 AM, Ken Schaefer  wrote:
> So SLAAC will only work if you have unique MAC addresses?

  Hmmm.  I would expect so, for certain definitions of "unique".  That
said, I know very little about this stuff -- I've read a few articles
and discussions, that sort of thing.

> If you use Hyper-V, then the pool of MAC addresses assigned to the guests is 
> based
> off a pool generated from the host's IP address. If you build servers in a 
> build factory,
> then you'll end up with duplicate MAC addresses for your guests.

  If you have multiple hosts in the same broadcast domain with the
same MAC address, you're going to have much bigger problems than that.
 :)

  If the hosts are not in the same broadcast domain, they're almost
certainly not in the same IP network, so their IP address will be made
unique by the combination of IP network plus MAC address.  The MAC
address is unique within the broadcast domain.

  Proxy ARP could cause problems, but if you're using proxy ARP you're
prolly already used to that.  ;-)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DHCPv6

[Ken Schaefer]

So SLAAC will only work if you have unique MAC addresses?

If you use Hyper-V, then the pool of MAC addresses assigned to the guests is 
based off a pool generated from the host's IP address. If you build servers in 
a build factory, then you'll end up with duplicate MAC addresses for your 
guests.

Cheers
Ken

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, 13 July 2010 11:00 AM
To: NT System Admin Issues
Subject: Re: DHCPv6

On Mon, Jul 12, 2010 at 10:29 PM, Kurt Buff  wrote:
> No familiarity with DHCPv6, so an ignorant question...

  This is currently the subject of holy wars on forums such as NANOG.

  An IPv6 node can discover the network number, network mask, and local routers 
by using router solicitation.  This is part of the core IP protocol, and in 
theory should be part of every implementation.
The IPv6 node can then use its MAC address to generate a unique address on the 
local network (this is called SLAAC (StateLess Address Auto-Configuration)).  
So an IPv6 node can get a working network layer on any network, without DHCPv6.

  However, you still need DHCPv6 to find out things like DNS servers.
So SLAAC is only good for layer 3, not for higher layer stuff.

  This has lead to a feud between those who think IPv6 address assignment 
should work just like IPv4 -- via DHCP -- since that's what everyone's 
infrastructure is built around, and thus SLAAC is just a waste of resources, vs 
those who think addresses should come from SLAAC and DHCPv6 should only be used 
to discover higher layer stuff.
Implementations behave according to which armed camp they align with.

  Things haven't shaken out yet.  Until they do, I expect IPv6 
client-vs-network interoperability (i.e., "How do I configure my pee sea for 
your net work?") to be a clusterfsck.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: DHCPv6

[Ben Scott]

On Mon, Jul 12, 2010 at 10:29 PM, Kurt Buff  wrote:
> No familiarity with DHCPv6, so an ignorant question...

  This is currently the subject of holy wars on forums such as NANOG.

  An IPv6 node can discover the network number, network mask, and
local routers by using router solicitation.  This is part of the core
IP protocol, and in theory should be part of every implementation.
The IPv6 node can then use its MAC address to generate a unique
address on the local network (this is called SLAAC (StateLess Address
Auto-Configuration)).  So an IPv6 node can get a working network layer
on any network, without DHCPv6.

  However, you still need DHCPv6 to find out things like DNS servers.
So SLAAC is only good for layer 3, not for higher layer stuff.

  This has lead to a feud between those who think IPv6 address
assignment should work just like IPv4 -- via DHCP -- since that's what
everyone's infrastructure is built around, and thus SLAAC is just a
waste of resources, vs those who think addresses should come from
SLAAC and DHCPv6 should only be used to discover higher layer stuff.
Implementations behave according to which armed camp they align with.

  Things haven't shaken out yet.  Until they do, I expect IPv6
client-vs-network interoperability (i.e., "How do I configure my pee
sea for your net work?") to be a clusterfsck.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DHCPv6

[Kurt Buff]

No familiarity with DHCPv6, so an ignorant question...

What needs the static address assigned? Is it the machine handing out
addresses, or the machine receiving the assignment?

And, if the former, why would that be an issue? I would think it
pretty much a requirement.

I *did* just go to a computer user group in Seattle that had a
presentation on IPv6, but aside from the fact that it allows for more
addresses than we can count, and a few other tidbits like getting
started with tunneling, it wasn't all that informative.

For instance, he did not deal with issues like whether segmenting
networks as we do now inside the enterprise at the layer2 and layer3
boundaries is still an issue in a pure IPv6 environment - I think that
was beyond his experience.

Kurt

On Mon, Jul 12, 2010 at 19:18, Jason Gauthier  wrote:
> Well, after diligence and testing… I’ve solved this.  Windows 2008 DHPCv6
> will not work reliably without having a static IPv6 address assigned to it.
>
> I have not decided how I feel about that yet.
>
>
>
> From: Jason Gauthier
> Sent: Friday, July 09, 2010 3:12 PM
> To: NT System Admin Issues
> Subject: DHCPv6
>
>
>
> Greetings,
>
>
>
> I’m struggling with an issue with DHCPv6.   I’m using this, effectively, as
> stateless.   I have a Cisco router set up to multicast router
> advertisements.  It is doing so successfully, setting the options “Managed”
> to false, and “Other” to true.
>
>
>
> I have confirmed through network traces and Windows 7 DHCPv6 event logs that
> it is receiving the announcements, and setting the options correctly.
>
>
>
> This is working good!
>
>
>
> Now, here comes the part that I’m struggling with.  Once the options are
> set, the client machine should (and does) poll for DHCPv6 options only.
>
> Again, I’ve confirmed though network traces that this is happening
> successfully.
>
>
>
> 15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
> fe80::188b:8ff9:305c:71a3.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit
> (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1 time 316484303
> 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client FQDN) (vendor class)
> (option request DNS name DNS vendor-specific info Client FQDN).
>
>
>
> My DHPCv6 server (running netmon) can definitely see the multicast requests
> sent to FF02:0:0:0:0:0:2:1.  However, it doesn’t respond, acknowledge, or
> otherwise seem to care.
>
>
>
> Options 23 (DNS Recursive Name) and options 24 (Domain Search List) are
> set.
>
>
>
> I have done this on two different networks, two different DHCPv6 servers.
> Neither of them responds. Even the statistics do not count up that there was
> a solicit message.
>
>
>
> I am intending to open a ticket with MS, but sasupport seems to be
> non-functional for me at the moment.
>
>
>
> So, I thought I would ask here.   All my clients are Windows 7/2008R2, and
> my two servers are 2008 R2.
>
>
>
> Thanks for reading.
>
>
>
> Jason
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DHCPv6

[Jason Gauthier]

Well, after diligence and testing... I've solved this.  Windows 2008
DHPCv6 will not work reliably without having a static IPv6 address
assigned to it.

I have not decided how I feel about that yet.  

 

From: Jason Gauthier 
Sent: Friday, July 09, 2010 3:12 PM
To: NT System Admin Issues
Subject: DHCPv6

 

Greetings,

 

I'm struggling with an issue with DHCPv6.   I'm using this, effectively,
as stateless.   I have a Cisco router set up to multicast router
advertisements.  It is doing so successfully, setting the options
"Managed" to false, and "Other" to true.

 

I have confirmed through network traces and Windows 7 DHCPv6 event logs
that it is receiving the announcements, and setting the options
correctly.

 

This is working good!

 

Now, here comes the part that I'm struggling with.  Once the options are
set, the client machine should (and does) poll for DHCPv6 options only.

Again, I've confirmed though network traces that this is happening
successfully.

 

15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
fe80::188b:8ff9:305c:71a3.546 > ff02::1:2.547: [udp sum ok] dhcp6
solicit (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1
time 316484303 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client
FQDN) (vendor class) (option request DNS name DNS vendor-specific info
Client FQDN).

 

My DHPCv6 server (running netmon) can definitely see the multicast
requests sent to FF02:0:0:0:0:0:2:1.  However, it doesn't respond,
acknowledge, or otherwise seem to care.

 

Options 23 (DNS Recursive Name) and options 24 (Domain Search List) are
set.  

 

I have done this on two different networks, two different DHCPv6
servers.  Neither of them responds. Even the statistics do not count up
that there was a solicit message.

 

I am intending to open a ticket with MS, but sasupport seems to be
non-functional for me at the moment.

 

So, I thought I would ask here.   All my clients are Windows 7/2008R2,
and my two servers are 2008 R2.

 

Thanks for reading.

 

Jason


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~