Overblog Suivre ce blog
Administration Créer mon blog
1 juillet 2013 1 01 /07 /juillet /2013 14:22

One of the novelty IPv6 brought is SLAAC ( Stateless Address Autoconfiguration ).




Basically, it builds on the premises of the old IPv4 169. autoconfig, but turns it into something fully functionnable. A simple, plug and play, full autoconfiguration of hosts, for Global Internet connectivity.

We will see SLAAC theory, then real exemples and configurations of SLAAC served by a 40€/$ network router and SLAAC served by a Windows OS router. We'll have a look at what benefits a 200+ €/$ network router can bring SLAAC-wise. Finally, we'll sum up all the flags settings we'll go through.

SLAAC :  The theory


SLAAC ( Stateless Address Autoconfiguration ) allows an host to do autoconfigure by mean of advertised network prefixes.

SLAAC is build on RAs ( Router Advertisement ) as  a foundation. Let's see an advertised SLAAC RA closely.

First, the ' managed ' flag must be unset to allow host to autoconfigure :




  Secondly, we have a RA option here, named prefix information :




Let's expand the ' prefix information message ' to see the option flags :




if the ' on link ' flag and the ' Autonomous address-configuration ' flag are both set, then a host can create an IPv6 address, using the advertised prefix as network ID, and using either a modified EUI-64 ( MAC address based ) or a RFC 4941 privacy ID ( IPv6 Privacy ) as a host ID.

Network ID+Host ID = Autoconfigured IPv6 address


We now have an IPv6 address autoconfigured


We already have a default gateway autoconfigured ( see Part 1 of IPv6 Dynamic Networking )


What our host still lacks for Global Internet connectivity is the DNS servers IP. Either of two mechanismes are providing for this : ND RDNSS or Stateless DHCPv6



The first mechanisme is ND RDNSS ( Network Discovery Recursive DNS Server ) and ND DNSSL ( Network Discovery DNS Search List ) as a RA option ( RFC 6106 ). It provide a mean for the router to add these optionnal lines in the advertised RAs.
Some OS don't support RFC 6106, like Windows OS, unless you use an open-source third-party add-on
When using ND RDNSS, the router's RA ' other ' flag is unset :






SLAAC and Stateless DHCPv6

The second mechanisme is the host configuration being completed by a DHCPv6 request.


The router keeps the managed flag unset, allowing the host to perform SLAAC. The ' other ' flag is set, thus informing the host to perform a stateless DHCPv6 request to complete its configuration :



Note that in this case, the DHCPv6 request can by served by either the network router or a discrete link-local DHCPv6 server. The host preference will follow the same rules as outlined in the previous post about DHCPv6.

IPv6 SLAAC using a network router





Performing SLAAC by mean of our neat Dlink DIR 626-L is pretty straightforward. We just have to check the ' Enable automatic IPv6 address assignment ' and choose either SLAAC+RDNSS or SLAAC+Stateless DHCPv6 :




I haven't managed to make SLAAC+RDNSS work on the DLink 626L. The RDNSS options are not in the captured IPv6 RAs on the network. I keep on being puzzled by that. I'll complete or correct this subject here when I find out.

In the case of SLAAC+Stateless DHCPv6, it worked and performed perfectly. The IPv6 address is autoconfigured, based on the Lan IPv6 Address of the network router, configured on the same page. It can just only be a /64.


The DNS DHCPv6 request is served by the Dlink own DHCPv6 server, without anything needing to be configured. It just passes the own Dlink configured DNS servers IPs on the same page.


In case another DHCPv6 server is present link-local, it will get preffered by the host, provided it features more informations or has a >0 preference flag ( see previous post ).

a few last notes about the DLink DIR 626-L with SLAAC :

The DLink router lifetime as a gateway is set to 180 s by design
The router advertisement lifetime setting is the host's SLAAC address lifetime ( 1440m=24h default )



IPv6 SLAAC using a Windows Server 2008 R2 as an IPv6 router + SLAAC provider





( To see how to make an IPv6 router out of any Windows OS with two network card, or how to set it up as an IPv6 tunnel endpoint, please see previous posts ).


Windows Server 2008 R2 doesn't supportserving SLAAC+RDNSS, so we can only use SLAAC+Stateless DHCPv6.


Let's do a quick cleanup of the server DHCP and IPv6 settings :
We empty the folders C:\windows\System32\DHCP and C:\Windows\System32\DHCP\Backup
We do an IPv6 reset : netsh int ipv6 reset
We reboot

First, we add the DHCP server role, using server manager :

We check only the LAN NIC


we choose the DNS search list and the DNS servers, and don't need to create an IPv4 scope. Just clicking next.
we choose ' Enable DHCPv6 stateless mode ' and fill the DNS search list and DNS servers that will be advertised by the server :




we have now enabled the DHCPv6 server to perform stateless requests.

To have the hosts being able to perform SLAAC, more jobs need to be done by hand.


We first allow router discovery and advertising :


netsh int ipv6 set int [Idx] routerdiscovery=enable
netsh int ipv6 set int [Idx] advertise=enable


where [Idx] is the lan interface index.


We then have to choose and allow the published prefix. For this, we just have to type :


netsh int ipv6 show route
netsh int ipv6 set route [prefix]::/64 [IDx] :: publish=yes


where [prefix] is the lan prefix you want to be published, and [IDx] is the lan interface index.


Finally, to allow the router to be a routing default gateway :


netsh int ipv6 set int [IDx] forwarding=enable
netsh int ipv6 set int [IDx] advertisedrouterlifetime=1800
netsh int ipv6 set int [IDx] advertisedefaultroute=enable
netsh int ipv6 set int [IDx2] forwarding=enable

where [Idx] is the lan interface index and where [Idx2] is the Wan interface index.

Here is the complete sequence :



Well, nothing else needs to be taken care of. Just look at your advertisedrouterlifetime setting ( 1800 s default ) because a too little value may have your hosts discard the default gateway before a new RA arrives to renew the validity, thus creating an inconsistent connection. To verify a host default gateway remaining lifetime :


netsh int ipv6 show route verbose

A few more notes : Windows Server 2008 R2, when proposing you to enable or disable DHCPv6 Stateless mode, really does nothing more than handling you the option 23 and option 24 of the DHCPv6 Statefull Server ( See previous post : DHCPv6 ). We can as well choose the ' disable DHCPv6 Stateless mode ' option, and right click the DHCP Server IPv6 option to set the DNS Servers and DNS Search List options ( no 23 and 24 ). It will all work ok all the same.


SLAAC with a pro-grade network router

Here is what a pro-grade ( 200+ €/$ ) network router may bring you SLAAC-wise a consumer-grade network router lacks :

Domain search list
Unicast / Multicast advertise mode
Advertise interval
RA flags manual setup
Router Preference
MTU settings   
Router lifetime
Prefix length
Prefix lifetime

Sum-up of flags combinaisons

Here is the different combinaison for the 4 flags : managed, other, on-link, autoconfigure

and the host setup it initiates :


flags set                                                       setup


managed                                                     full DHCPv6
other + onlink + autoconfigure                SLAAC+Stateless DHCPv6
onlink + autoconfigure                              SLAAC+RDNSS

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
29 juin 2013 6 29 /06 /juin /2013 09:31

We'll see here how to setup the Raspberry PI as a DHCPv6 client and server, using wide-dhcpv6,
with configuration files exemples.

Please see previous post for DHCPv6 theory ( DUID, IAID, ... )




RaspberryPI DHCPv6 client setup



First we disable SLAAC :

sudo nano /etc/sysctl.conf :


nb : net.ipv6.conf.eth0.autoconf=0 might be needed to erease a previous setup. Use it if needed

We install the Wide-DHCPv6-Client :

sudo apt-get install wide-dhcpv6-client

at installation, the listenning interfaces are requested. We choose eth0 in this case


We edit the configuration file :

sudo nano /etc/wide-dhcpv6/dhcp6c.conf :

interface eth0{
  send ia-na 0;
  request domain-name-servers;
  script "/etc/wide-dhcpv6/dhcp6c-script";

id-assoc na 0 {

We reboot the Raspbian OS

A few explainations about this config file :

interface eth0{ ... };                                                   defines settings for eth0

  send ia-na 0                                                           sets IAID 0 for this interface
  request domain-name-servers                          request DNS IPs
  script "/etc/wide-dhcpv6/dhcp6c-script"            copies the DNS IPs in /etc/resolv.conf 

id-assoc na 0 { };                                                     needed stanza

for reference, here is the /etc/network/interfaces file for the interface eth0 to behave DHCPv4/DHCPv6 client :

auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Firewall settings

We have to remember to allow in DHCPv6 answers if the firewall is too restrictive :

ip6tables -A INPUT -s FE80::/10 -p udp --dport=546 -j ACCEPT

Raspbian with 2 DHCPv4/DHCPv6 listening interfaces

While rarely usefull, this configuration is interesting to outline. It does brings some
subtlelties into light :

First, be sure to install wide-dhcpv6-client and to select both interfaces at the initial setup : eth0 eth1
( Or do rpkg ). Forgetting to do this will have the unregistered interface not listening.

here is the dhcp6c.conf file :

# Default dhpc6c configuration: it assumes the address is autoconfigured using
# router advertisements.

interface eth0{
  send ia-na 0;
  request domain-name-servers;
  request domain-name;
  script "/etc/wide-dhcpv6/dhcp6c-script";

interface eth1{
  send ia-na 1;
  request domain-name-servers;
  request domain-name;
  script "/etc/wide-dhcpv6/dhcp6c-script";

id-assoc na 0 {

id-assoc na 1 {



This is how we setup the IAIDs, one per interface
Here is the /etc/network/interfaces file :

auto lo

iface lo inet loopback
iface eth0 inet dhcp
iface eth1 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Finally here is an extract of sysctl.conf :

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host

( the last two lines may be needed, if the previous settings don't want to discard ).




Raspbian as a DHCPv6 Server


( actually under redaction )


Repost 0
Published by computer outlines - dans RASPBERRY PI
commenter cet article
28 juin 2013 5 28 /06 /juin /2013 14:13

DHCPv6, also named statefull DHCPv6, is very similar to DHCPv4. It allows full control of address attribution, and full hosts configuration ( IPv6 address, prefix length, DNS servers, DNS prefix, NTP servers, ... ). Remember that DHCPv6 won't hand out default gateway information to hosts ( see previous part ).

We'll setup DHCPv6 using a network router, as well as a Windows Server OS. We'll see the DHCPv6 options an entreprise-grade network router can provide that a consumer product lacks. We will finally see the multiact addresses DHCPv6 uses.


But first, let's have a look at the way DHCPv6 functions, and lay a little theory



DHCPv6 Functionning


IPv6 provides two ways for hosts autoconfiguration : DHCPv6 and SLAAC. 


We saw how default gateways and routes are advertised by Routers, using RAs ( Router Announcements ). There is another part of a RA that we need to take a look at :




The managed address configuration flag and the other configuration flag, if both set, have the router explicit to hosts :


Do a DHCPv6 request, for full DHCPv6 configuration ( IPv6 address, prefix length, DNS servers, DNS prefix, NTP servers, ... )


So if the DHCPv6 server is too the default gateway, the process is :


1. The router advertise RAs expliciting :

                                              . Router is default gateway

                                              . Hosts should request full DHCPv6 configuration ( managed and other flags set )


2. The host sends a DHCPv6 request to all DHCPv6 servers on-link


3. The router handles the DHCPv6 request



We can check the status of a Windows OS host interface ( [Idx] ) using :


netsh int ipv6 show int [Idx]




Please note that for hosts, these flags reflect the state they're in due to received RAs. You can't set these flags on a host, only on a router ( or a routing computer. see part 1 of Dynamic networking ) .


Finally, there is an optionnal field in DHCPv6 messages, the preference value :




If a host receives replies from two different DHCPv6 servers, it will choose the highest preference one.

If both replies have equal preference value, it will choose the most information-featured one.

The host CAN choose the less preference reply if it features more informations, it depends on the host settings.

A preference value of 0 results in the lack of the preference option field in the DHCPv6 message.


DHCPv6, DUID, IAID and Network Interfaces



Whereas with DHCPv4, clients were identified by the server with their MAC address,
with DHCPv6 they're identified with their DUID : Dhcp Unique IDentifier.
Each DHCP client has a unique DUID, that is not to change, even if one of the LLA ( Link-Local Address ) of the client changes.

One computer has several IA ( Identity Association ) : one per NIC ( plus eventually one per IA type : NA, TA, ... )
The computer IAs are identified with their IAIDs ( IA ID ) : this ID number has to be unique for a given computer, and is not to change for a given interface.

EX : A computer with two interfaces requesting permanent DHCPv6 addresses on both has :

. 1 DUID
. 2 IAID ( one per interface )

As soon as a DHCPv6 lease has been done by the DHCPv6, it will register the DUID and IAADs for this lease.

The DUID is created at the OS installation, or DHCPv6 client package installation.

It is Link-Local Address derived ( there are three different formats : LLA, LLA+time, Unique Vendor Specific ), and maximum 128 Bytes long. Only one LLA is used ( that of a chipset integrated NIC preferencially ).


The IAID is created when a new network card is installed. It is 4 Bytes long.

To see the DUID and IAID's of a Windows OS : ipconfig /all
To see the DUID and IAID's of a Raspbian OS with wide-dhcpv6 package :



DHCPv6 with a consumer-grade network router



Let's see how to use DHCPv6 with our neat, 40€/$ Dlink DIR 626L ( Router 1 here ) :





It's all very obvious indeed, with the only exception I outlined earlier that this setting is in the ' Manual IPv6 Internet Connection Setup ' submenu, not in the local connectivity submenu :




well, we just have to :

check ' enable automatic IPv6 address assignment '
choose the Statefull ( DHCPv6 ) ' option in the submenu
assign an address range
set up the lease time


pretty simple and easy
note that the network router hands up DNS servers IPs based on its own registered DNS Servers ( on the same  ' Manual IPv6 Internet Connection Setup ' submenu ). All is sent using DHCPv6 messages.


The Lan IPv6 Address is limited to a /64, and DHCPv6 Address range uses it as the network prefix. You can choose the remaining 64 bits to define the host id range.


Note too that the IP address are leased in a succesive linear way, there is no randomized choice out of the address pool.


There are no other option to set, or choose from




DHCPv6 with a Windows Server OS



Using Windows Server 2008 R2 as an exemple, let's see how to set it into a DHCPv6 Server and default gateway, using this network map :





For IPv6 router/default gateway, please see the previous post.

Let's see how to add DHCPv6 :


First, I recommand to clean up any previous DHCP setup on the server. Just delete the content of these folders :





Then, add the DHCP server role using the Server Manager


Only select the Lan NIC here

Create the IPv4 Scope, using default setings ( No WINS, ... )

Choose ' Disable DHCPv6 Stateless '


Now, let's add an IPv6 scope :


Server Manager ) DHCP ) IPv6 ) Right click ) New Scope


all we have to setup is :


scope name and description


scope prefix ( /64 )


preference level                          ( default ( 0 ) is all right as there are no other DHCPv6 server here )


we can use some exclusions, to narrow the leased scope. As an exemple, if we only want to lease hosts id :

4:0000 to 4:FFFF


we add two exclusions :

0:1 to 3:FFFF




Last, we setup DNS and DNS prefix for our DHCPv6 Server to announce :


IPv6 ) Server Options ) Right click ) Configure Options


option 23          [ enter the IPv6 DNS IPs here ]

option 24          [ enter the DNS prefix here ]



Well, that's all that needs to be done. You can note that the IPv6 addresses leases are choosen randomizely from the address pool.



DHCPv6 with a network router as default gateway, and a Windows Server DHCPv6 server


Here is the network map :




Well, nothing is different from the previous exemples we saw, except a little detail here :


Our D-Link, to be able to advertise default gateway RAs, must be set on lan autoconfiguration :




We have to choose Statefull ( DHCPv6 ) so the right flags ( managed + other ) are set on the advertised RAs, so the host performs a DHCPv6 request.

and when choosing DHCPv6 setting on the network router, we have to be sure the Windows Server DHCPv6 will be preffered over the network router's one.


We could set the Windows Server DHCPv6 preference value higher, so that it will be preferred. The D-Link DIR 626-L preference value is fixed to 0.


But it isn't needed, as the Windows Server DHCPv6 server provides more informations to DHCPv6 requests ( Domain prefix, FQDN, vendor specific infos ), and thus gets preferred.


This is a perfect exemple of the IPv6 paradigm shift, and the new problems it creates ( and solves ).




DHCPv6 with a pro-grade network router


Compared to a consumer-grade network-router, a typical 200+ €/$ pro-grade router may provide you these added features and options, DHCPv6-wize :


. Router's preference value

. DNS prefix

. Lan prefix length

. DNSv6 proxy

. Multiple DHCPv6 address pools

. randomization of address pool leases



DHCPv6 Multicast addresses



Here are the main addresses DHCPv6 makes use of. They are IPv6 Multicast addresses :


Router's RAs use ff02::1 for ICMPv6 RAs


Hosts use ff02::1:2 for DHCPv6 requests


Further, you may encounter request sent to ff05::1:3


here are their meanings :


ff02::1                          all nodes link-local


ff02::1:2                       all DHCP servers and relay agents link-local


ff05::1:3                       all DHCP servers on the local network site


Repost 0
Published by computer outlines - dans IPv6
commenter cet article
28 juin 2013 5 28 /06 /juin /2013 13:47

After having seen IPv6 default gateway advertisement in the previous post, we will now have a look at IPv6 route advertisement.


Effectively, RA ( Router Advertisement ) provides a way for hosts and routers to announce and publish known routes.

Let's see three practical exemples, using the last setup of the Static IPv6 Networking :




[ G ] ::/48 is our /48 prefix. Out of this we create 3 subnets, [ G ]:1::/64, [ G ]:2::/64 and [ G ]:3::/64.

The two network routers are consumer-grade IPv6 routers ( DLink DIR 626-L in this case ), the Windows OS Router can be any Windows client or server edition. Let's see the network map again :




Router 2 and OS Router 1 default gateway is Router 1. All the hosts default gateway are obvious.

So for full hosts connectivity, we need :


Router 2 to advertise the [ G ]:2::/64 subnet to Router 1

OS Router 1 to advertise the [ G ]:3::/64 subnet to Router 1




Consumer-grade network router


So we need Router 2 advertise to Router 1 its knowledge of [ G ]:2::/64, so we don't have to setup a static route in Router 1.


 ( to be continued )

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
27 juin 2013 4 27 /06 /juin /2013 15:55

We'll see the precise basis needed to understand the IPv6 dynamic networking shift, and see the most important consequence : Default Gateway advertisement. We'll see how to configure a network router or a Windows OS router to be an advertised default gateway. Finally, we'll see IPv6 multicast addresses.





IPv6 nodes roles


To have a clear view, we need to lay some basis, because IPv6 is a big thought shift from IPv4.

lets define 3 roles :

a router : performs routing, ie packet forwarding
a host : has an ip address, but doesn't perform routing
a node : a router or a host

So a node is either a host or a router.


A network router, like a D-link DIR 626L, obviously is a router, and this won't change.


A Windows PC, is either a host or a router. It depends of its ability to forward packets. To check this, type :
netsh int ipv6 show int [Idx]
and look at the line ' forwarding '. If forwarding is enabled, then it's considered a router, ipv6-wise.

In IPv6, Routers perform routing, and thus advertise routes and default routes. Hosts don't. Period.




RA - Router Advertisement


Routes are advertised by mean of RA ( Router Advertisement ). RA belong to the NDP ( Network Discovery Protocol ). NDP is part of ICMPv6.

What do Routers advertise by mean of RAs ? They advertise :


. On-link prefixes
. Default gateway
. Autoconfiguration informations ( SLAAC )
. Other autoconfiguration informations : Presence of statefull DHCPv6 server on-link, MTU value to be used.

RA are advertised every 20 to 40 s on average. Hosts receive this beacon, and act accordingly.
Let's see the main part of a RA packet :



The first line to check is Router Lifetime. If it is different from zero, the router is thus advertising itself as a default gateway. This value only refers to the router's default gateway ability, not to some other advertised routes life.

Here is the equivalent, on a routing Windows OS, using : netsh int ipv6 show int [Idx]

Now let's have a closer look. There is another important flag to see in a RA packet :






Prf ( Default Router Preference ) : sets the priority level of this router to act as a default gateway

If a router is advertising RA packets, and is willing to act as a default gateway, it will set its router  lifetime to a value different than zero, and set its preference level ( medium by default )

Hosts, on the other hand, will listen to RAs, and actuate their default gateway accordingly,  choosing the router with highest preference value.
If two routers are advertising RAs with equal preference value, the host will register two default gateways on this link.
Which is not a recommended practice.



Default Gateway configuration exemple using a network router





On a network router, like the d-link DIR 626L, you can set the autoconfig to any mode ( Statefull DHCPv6, SLAAC+Stateless DHCPv6,  SLAAC+rdnss ) to have default gateway announced.
Only ' No autoconfiguration ' mode will completely disable the RA default gateway announcement ( it sets the router's lifetime to zero ) :




There's nothing more to do, nor option to set.


Default Gateway configuration exemple using a Windows OS Router




On a Windows OS, you too have to set the routing interface ' advertisedefaultroute=enable'. So you need for complete functionning :


advertiserouterlifetime=[x]        with x>0


here is the complete command lines, with [Idx1] as Lan interface and [Idx2] as Wan interface :




I include too the complete netsh int ipv6 int [Idx1], for reference, just in case you scrambled your settings, and don't want to do a netsh int ipv6 reset :







Default Gateway using more advanced products



Using consummer level products ( Windows client OS, entry level network router ) at this level stops the control we can fine-tune over the default gateway announcement.

To have more control and options, we need professionnal products, like pro-grade network routers ( 200+ €/$ ), or a Windows Server OS ( using RRAS ). We can then set the Router's preference as an exemple.



Multicast IPv6 addresses



We at this stage encounter a new kind of IPv6 addresses : Multicast IPv6 addresses.

RAs are sent from Routers to this address :




Here is a network sequence using Wireshark :




ff02::1 is a multicast address, whose meaning is ' all nodes link local '. To see the multicast groups a host joined, just type :


netsh int ipv6 show joins


here is a typical Windows 7 host multicast groups with their meaning :


ff01::1            all nodes interface local
ff02::1            all nodes link-local
ff02::c            SSDP link-local
ff02::1:3        multicast name resolution link-local
ff02::1:ff00:101    solicited node multicast link-local

IPv6 makes great use of multicast, to reduce broadcast-caused traffic congestion.


the first part ( ff01::, ff02::, ..) encodes the scope :

ff01:: is interface local, ff02:: is link-local, ff05:: is site local, etc ...


the second part ( 1, c, 1:3, ... ) encodes the node type :

1 is a node, 2 is a router, 9 is a RIP router, 1:3 is a DHCP server, etc ... )

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
20 juin 2013 4 20 /06 /juin /2013 14:19

RFC 6724 : Default Address Selection for Internet Protocol Version 6 (IPv6)

As IPv6 hosts may have several IPv6 addresses over a single network interface, a choice has to be made by the OS so to choose a Source IP, as well as a Destination IP.

Furthermore, in case of Dual-Stack IPv4/IPv6 networking, a choice has to be made too about which IP to use as Source and Destination IPs : IPv4 or IPv6.

Finally, in case there are several physical or virtual network interfaces ( ex: tunnelling, .... ), a choice has to be made too.

RFC 6724 provides the mechanismes to be implemented in OS and in softwares to resolve this Source Address and Destination Address selection.


The RFC 6724 Basic Algorithm

. Each Address is passed through the prefix policy table, and thus receives a Precedence and a Label value.

. The Source address is selected

. The Destination address is selected

The Prefix policy table


To show the Prefix policy table on a windows OS :


netsh int ipv6 show prefix


Here is the default Prefix Policy table :


      Prefix          Precedence            Label
      ::1/128                 50                     0
      ::/0                        40                     1
      ::ffff:0:0/96           35                     4
      2002::/16             30                    2
      2001::/32              5                     5
      fc00::/7                  3                     13
      ::/96                       1                      3
      fec0::/10               1                      11
      3ffe::/16                1                      12

It's a longest prefix match, like the routing table. Each candidate address receives a Precedence and a Label value, based on this longest prefix match.

The IPv4 addresses are processed through this table too, using a ::ffff:0:0/96 IPv4 mapped address.



here is the meaning of the default table entries :

::1/128                                   Loopback
::/0                                          Default Route
::ffff:0:0/96                             IPv4 mapped address
2002::/16                              6to4
2001:0000::/32                    reserved for teredo
fc00::/7                                  ULAs
::/96                                        IPv4 compatible address ( depracated )
fec0::/10                                ancient site-local address, deprecated
3ffe::/16                                 6bone

notes :

IPv6 GUA wins over IPv4 Public IP for destination choice because the IPv6 matches a 40 preference, wherease the IPv4 gets a 35

::/0                 40    1
::ffff:0:0/96    35    4

For source selection, same labels win as source ( rule 6 ) all other rules being equals

So this default table prefers IPv6 over IPv4, and native connectivity over tunnelled one.

source selection


All the potential source addresses are processed through this set of rules, discarding addresses as they loose in a rule, and stopping when one only address is left :


1.  Prefer same address ( ie source IP=destination IP )
2.  Prefer appropriate scope
3.  Avoid deprecated addresses
4.  Prefer home adress ( Mobile IPv6 )
5.  Prefer outgoing interface ( ie to internal forwarding interface )
5.5 Prefer the next-hop advertised prefix addresses
6.  Prefer matching label
7.  Prefer temporary address
8.  Use longest matching prefix

nb : rules 5.5 and 8 are optional, and can be supperseded

        rule 7 is supposed to be user-configurable in OS and applications

destination selection

1.  Avoid unusable destinations ( unreachable or undefined )
2.  Prefer matching scope
3.  Avoid deprecated addresses
4.  Prefer home addresses
5.  Prefer matching label
6.  Prefer higher precedence
7.  Prefer native transport
8.  Prefer smalller scope
9.  Use longest matching prefix
10. Otherwise, choose the first on the list

note : rules 9 and 10 may be superseded

Exemple of Prefix Policy Table settings


For administrative means, the prefix policy table may be changed, so to reach a particular effect. For an example :


prefering IPv4 :

To prefer IPv4 over IPv6 for Internet Access, we raise the preference value of the ::ffff:0:0/96 row ( which matches IPv4 addresses ) to 100, over the ::/0 40 preference value ( which matches IPv6 default addresses ) :


      Prefix          Precedence            Label

      ::ffff:0:0/96          100                   4
      ::1/128                 50                     0
      ::/0                        40                     1
      ::ffff:0:0/96           35                     4
      2002::/16             30                    2
      2001::/32              5                     5
      fc00::/7                  3                     13
      ::/96                       1                      3
      fec0::/10               1                      11
      3ffe::/16                1                      12

command line :


netsh int ipv6 set prefix ::ffff:0:0/96 100 4


Repost 0
Published by computer outlines - dans IPv6
commenter cet article
20 juin 2013 4 20 /06 /juin /2013 13:37

Using ULA ( Unique Local Addresses ) and GUA ( Global Unicast Addresses ) on the same network.




We're going to see how to use both ULA and GUA on the same network, the limitations or problems that might occur, as well as the way to solve them.


we'll use ULA subnets based on the fd07:44de:a327::/48 prefix :





and GUA subnets based on the 2001:0DB8:0::/48 prefix :





keeping the subnet ID in line ( fd07:44de:a327:0::/64 and 2001:0DB8:0::0/64 on the same physical subnet, etc ... ).

thus, [G] represents a /48 prefix throughout this post.


Using ULA and GUA on a single subnet






Using our neat little Dlink DIR 626-L router ( Router 1 ), let's add ULA capability to a GUA network.
We keep GUA networking in the router's main networking page ( Internet connectivity setup ), and as we do static networking, we disable LAN address autoconfiguration on this page.


and use for the first time the ' local connectivity setup ' to add an ULA capability :




. We check ' enable ULA '
. We don't use default ULA, so we can use our own choosen subnet ID
( the default subnet ID seems to be one-time uniquely generated, but it is fixed. there is no documentation as to how it is generated. MAC derived ? )



Client setup

We're going to configure PC1 to use both an ULA and a GUA.
First, as we're doing static networking here, we disable the ability for PC1 to autoconfigure itself ( ie we disable router discovery ) :
netsh int ipv6 set int [Idx] router=dis

We statically configure a GUA address ( in network connections )

We too need to add an ULA address, using the command line :
netsh int ipv6 add address [Idx] [IP address]
ex : netsh int ipv6 add address 12 fd07:44de:a327:2::140

we can now check the interface addresses :
netsh int ipv6 show address [Idx]

we can too check our local connectivity :
ping fd07:44de:a327:2::1

and our global connectivity :
ping -6 www.wikipedia.org



Tools for troubleshooting ULA/GUA combinaison

As we now have 2 potential source address, it is good to be able to check which address is used as a source. Here are some tips :

tracert [IP address]                                                                 shows you the nodes used, thus the address type ( ULA or GUA )
tracert -S [source IP] [dest IP]                                               forces the use of the source IP
ping -S [source IP] [dest IP]                                                  ( idem )

Please note that ULA address, as a source address, gets discarded by Internet router, so there won't be any answer to an ULA source packet.
thus this packet :
tracert -S fd07:44de:a327:3::140 www.wikipedia.org

won't get any answer.
This is one of the big shift when going IPv6 : ULA addresses are private. Period. No NAT will turn them into public IPs.
On the other hand, GUA addresses are public. So all our network hosts using GUA are public. Period. So take good care of your firewalls ...

There is no tipid waters, like IPv4 private address geting internet access through NAT, and IPv4 Public IP being forwarded to the private Lan.

A good deal of the problems when doing both ULA//GUA over a subnet is the source address selection, which is well documented ( RFC 6724). So checking and troubleshooting the source address selection is the first essential step.
The second essential step is using ' netsh int ipv6 show prefixpolicies ' to see the prefix policies table. ( More informations about these in the next post )




Adding ULA and GUA over several subnets




The ULA fonctionnality works very well over a single subnet. Unfortunately, the DLink 626-L network engine can't handle routing both ULA and GUA through the WAN port.
Using a Windows OS as a Router, we can have ULA and GUA both routed easily. There's no extra step needed compared to simple ULA or GUA routing.


We just need to have two IPv6 static routes pointing to the subnet #2 in Router 2, one for ULA and one for GUA :







The benefits of using both ULA and GUA in a network

The first benefit is network numbering autonomy. In case of ISP change, or of ISP-attributed network ID change, we can avoid network renumbering, which is a huge task. We just have to setup the routers GUA addresses, and can leave most of our servers infrastructure and setups unchanged ( DNS, AD, ... ).
The second benefit is network isolation. As ULA can't reach the Internet, and can't be reached, we can isolate some key components from the outside world ( AD Server, internal Data Server, .. ), leaving them with ULA-only connectivity.

The benefits of using a GUA-only network :
When using only GUA on our network, we have a somewhat easier to manage and troubleshoot network.

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
19 juin 2013 3 19 /06 /juin /2013 13:57

In this last post about IPv6 Static Networking, we'll breifly see how to use a routed /48 network, and how to disignin its subnets. See the previous posts for basics like turning a Windows OS PC into an IPv6 router, basic IPv6 routing, creating a Hurricane Electric tunnel, etc ...


The basic network topology will look like this :





But first, let's have a quick look at something very static indeed : the host file




IPv6 and the host file


Reaching a certain complexity, managing the network can be eased up a little bit by the use of the host file.

The host file holds records of host name/IP address couples.


it's located at C:\Windows\System32\drivers\etc\


you can edit it with the notepad ( admin mode ). As an exemple :




having a good static host file on the main PC makes access to network hosts for monitoring and configuration fast and easy.





Creating a routed /48 tunnel with Hurricane Electric



To create the routed /48 tunnel, first we create a regular tunnel at Hurricane Electric.

We then click the ' assign /48 ' link :




We will get this screen :



We have a new value ( [ G ] ) : our routed /48 prefix


please note


Server IPv4 and IPv6 addresses : [ D ] and [ E ]


Client IPv6 address : [ B ]


Routed /48 prefix : [ G ]


for the client IPv4 address, you will use your IPv6 Tunnel Endpoint Router's Wan IPv4 Address, which is likely to be a private address, not the displayed public IPv4 [ A ]. See previous posts.




a routed /48 subnet using 1 IPv6 Router and 1 routing Windows OS



using a Windows OS PC as a second IPv6 router, the network topology looks like this :




PC 1 and PC 2 have Router 2 as default gateway. Router 2 has OS Router 1 as default gateway.


We first setup the tunnel endpoint on OS Router 1 :




then check the 2 Routing interfaces Indexes using : netsh int ipv6 show interface


and issue the routing commands :




we finally assign an IPv6 address from our routed /48 [ G ] to the Lan interface.

Let's create a first /64 subnet, that we'll number 1, out of our /48 :


[ G ]:1:: / 64                                                                  ( replace [G] with your routed /48 prefix )


so we will assign the Lan Interface the IP [ G ]:1::1


As an exemple, if [ G ] = 2001:DB8:0::/48, our Lan IP will be 2001:DB8:0:1::1


As OS Router 1 has no knowledge of the [ G ]:2:: /64 subnet location, we have to add a route to it :


netsh int ipv6 add route 2001:DB8:0:2::/64 [Idx] 2001:DB8:0:1::230


( replace [Idx] with the OS Router Lan Interface Index )

( we could use netsh int ipv6 add route 2001:DB8:0::/48 [Idx] 2001:DB8:0:1::230 so to route the whole /48 subnet beyond Router 2. It just works the same in the present case )



all hosts in the network are able to ping each other. Just not forget Router 2 Firewall settings.



One final note : like in the previous exemple, OS Router 1 doesn't need 2 network interfaces, it can do fine with just one.

Here is the network topology then :




the settings for the tunnel should change in this last case :


Client IPv4 = OS Router 1 Lan IPv4


Router 2 IPv6 default gateway = OS Router 1 Lan IPv6




a routed /48 subnet using 2 networks IPv6 Routers


The network topology is :




Well, if you read the previous post, nothing is different here. The Router 1 IPv6 Tunnel is setup the same way.


We need to add Router 1 a static IPv6 route to the [ G ]:2:: /64 Subnet.

( We can add Router 1 a static IPv6 route to the [ G ]:: /48 Subnet.to provide route aggregation beyond Router 2. It just works the same in the present case )


Take care of your firewall rules, and all is easy.



Three Subnets Routing


For this last topology, we will add a third router to the situation. Here is the network topology :




If you followed the last two parts, this should be very easy for you.

Here is the default gateway design :


Hosts                                                    Default Gateway


PC1 PC2                                               Router 2

Router 2                                                Router 1

PC 2                                                      OS Router

OS Router                                             Router 1


Here are the routes that need to be added, all hosts to be able to ping each other :


Hosts                                                     Needed Additionnal Route


Router 2 Router 1                                Subnet 3

OS Router 1 Router 1                          Subnet 2



We have then made 3 /64 subnets out of our /48 subnet, and all hosts are able to ping each other.

The network topology is :




This concludes this serie of articles about Static IPv6 Networking. The next serie will be about IPv6 Dynamic Networking.


Repost 0
Published by computer outlines - dans IPv6
commenter cet article
16 juin 2013 7 16 /06 /juin /2013 14:26

For this next part, we're going to see how to bring IPv6 internet connectivity to a whole subnet. For this, we will need an IPv6 capable Router, or to use a Windows PC as an IPv6 Router. We'll see both ways to do this.


The basic network topology looks like this :




To have Internet connectivity for a whole subnet, we need what is named a ' routed /64  subnet'.
This means that beside your Wan IPv6 IP, which is on a first subnet with the IPv6 ISP endpoint, we need another /64 subnet, for our IPv6 Lan. Finally, we need that second /64 subnet to be routed to by the ISP. That is a ' routed /64 subnet '.
To see how to create an IPv6 Internet Tunnel with Hurricane Electric, see this post : Static IPv6 Networking Part 5 : Internet Connectivity

At out Tunnel Details page, we see this :




We need to note :
the Server IPv4 and IPv6 Addresses : [D ] and [ E ]
the Client IPv4 and IPv6 Addresses : [ A ] and [ B ]
the routed /64 prefix : [ F ]

we need too our Client real IPv4 address : [ C ], which in most case is a private IPv4. It's the IPv4 address of the Router Wan side in this case. We will use this one as Client IPv4 Address.
please note that in this case, the client is our Router ( or Windows OS Router )

A Routed /64 subnet using an IPv6 Router

The network topology as a reminder :


First, we need to setup the Wan side of our router. HE ( Hurricane Electric ) IPv6 tunneling type is IPv6inIPv4. We enter the IPv4 and IPv6 endpoints IP addresses, and choose a Lan IP address on the Routed /64 prefix subnet ( [ F ] ) :




For a reminder, we don't use the Local Connectivity tab on this setup. Here is how it should look like :




We then setup PC 1 and PC 2, using the /64 router prefix, and using the Router Lan IP as a default gateway. As an exemple :

Name                IP                        prefix length                  DG                     DNS1                                      DNS2
PC1 :                 [F]::40                 /64                                  [F]::1                   2001:4860:4860::8888       2001:4860:4860::8844
PC2 :                 [F]::41                 /64                                  [F]::1                   2001:4860:4860::8888       2001:4860:4860::8844

On last note : We need to take care of the Router IPv6 Firewall. Here is a basic, working configuration :



I'll focus on IPv6, and especially This D-link 626-L firewall implementation, in a following post.


We can now try our Internet connectivity :
tracert -d ipv6.google.com

A few notes : The D-Link DIR 626-L doesn't seem to be able to do DNSv6 relay.


A Routed /64 subnet using an Windows OS as an IPv6 Router

Here is the topology we're going to use :



Please note that we will need a switch behind OS Router 1. It can be any switch, or the switching side of an IPv4 Router. Just disable DHCP and verify the IPv4 subnet for this en-switched Router.

first, we will create the tunnel :




then, we will identify the [Idx] our 2 routing interfaces using this command :


netsh int ipv6 show interface



[ Idx1 ] = Lan side Interface

[ Idx2 ] = IP6Tunnel



and issue the forwarding command for both interfaces. replace [Idx1] and [Idx2] of course :




we then assign the address [ F ]::1 for the Lan Side Router's Interface
and setup PC 1 and PC 2 :

Name                IP                        prefix length                  DG                     DNS1                                      DNS2
PC1 :                 [F]::40                 /64                                  [F]::1                   2001:4860:4860::8888       2001:4860:4860::8844
PC2 :                 [F]::41                 /64                                  [F]::1                   2001:4860:4860::8888       2001:4860:4860::8844


On last note : We do not need to take care of the Windows OS IPv6 Router Firewall. Which is easy, but is a good reminder that you're essentially trusting your OS for firewalling issues. And here, it seems quiet comprehensive to say the least ...

We can now try our Internet connectivity :
tracert -d ipv6.google.com

A few last notes : we can turn our Windows OS into an IPv6 subnet access point using a single network interface. In this case, the network topology is this :



and we use the Windows OS IPv4 as client IPv4, and as IPv6 address we use [F]::1
( the IP6Tunnel interface is virtual after all, and receives the WAN IPv6 address )

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
15 juin 2013 6 15 /06 /juin /2013 14:21

As we're getting into the Global Internet connectivity, we need to spend a little time talking about DNS. Because without correct DNS functionning, there is no name resolution, and thus most computer softwares are stalled ( Web browser, Mail client, Antivirus updates, ... )




First, we have IPv4 DNS Servers. This means they are reachable over IPv4. They hold records of names/IPv4 address couples. That is called a ' A ' record.

What is good is that those IPv4 DNS Servers hold too records of names/IPv6 address couples.  These are called ' AAAA ' records. So you don't need to enter an IPv6 DNS Server IP, except if you have the whole IPv4 Stack disabled.



In a same way, an IPv6 DNS Server holds ' A ' records and ' AAAA ' records. So it can answer to ' A ' records requests.


As an exemple, if you want all DNS requests ( ' A ' and ' AAAA ' records ) to be served by the IPv6 DNS Server, enter no IPv4 DNS IP on the client, only an IPv6 DNS IP.

If you want all DNS requests ( ' A ' and ' AAAA ' records ) to be served by the IPv4 DNS Server, enter no IPv6 DNS IP on the client, only an IPv4 DNS IP.

Finally, do note that windows gives priority to IPv6, so if you entered both an IPv4 DNS IP and an IPv6 DNS IP, the IPv6's one will be used first

Of course, one unique DSN server can have both an IPv6 and an IPv4 address, thus providing DNS resolution both over IPv4 and IPv6. The previous exemple was just to clarify things out. 


Usefull commands to troubleshoot DNS


We'll use OpenDNS for DNS resolution in these exemples :


IPv4 DNS :
IPv6 DNS : 2620:0:ccd::2

to test the DNS resolution of www.wikipedia.org :
nslookup www.wikipedia.org


notice that www.wikipedia has no AAAA record.

if you try :                nslookup www.google.com


you see that there exists both A and AAAA records for www.google.com


now let's try :          nslookup ipv6.google.com


there is no A record. Only a AAAA IPv6 record




to test the DNS resolution forcing the use of an IPv4 DNS Server :
nslookup www.google.com

to test DNS resolution forcing the use of an IPv6 DNS Server :
nslookup www.google.com 2620:0:ccd::2


strangely, nslookup doesn't seem to have a working fallback mechanism. If a DNS IPv6 is registered on the PC, it sends it the request. If the request isn't answered, it doesn't try a registered IPv4 address, it just stops here.



Why are IPv6 records named ' AAAA ' records

Well, IPv4 records are named ' A ' records. And they're 32 bits long.
As an IPv6 record is four time this size ( ie 128 bits), it is named an ' AAAA ' record, a Quad A record.


Repost 0
Published by computer outlines - dans IPv6
commenter cet article


  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact