We're happy to have another guest post from Cisco Press author and chair of the Rocky Mountain IPv6 Task Force Scott Hogg. This will be the first of a four part series on how, why, and when to choose static, SLAAC, or DHCPv6 addressing for IPv6. Thanks Scott! -Tom
Choosing Static, SLAAC or DHCPv6? Part One: Static IPv6 Addressing
How to choose the method for assigning IPv6 addresses.
Organizations should have standards for how IPv6 addresses are applied to computers and end-nodes within their networked environment. These policies apply to end-user computers in an office and to servers in a data center. These policies also apply to small devices with embedded network interfaces and other devices like sensors and other electronic equipment that is network-capable.
Static and Dynamic Addressing
IPv6 addresses can be assigned to a node statically where the address is manually configured and does not change until the configuration is changed. Alternately, IPv6 addresses can be assigned dynamically to a node and are subject to change as the network may change or the node's location or state changes. This section defines the policy that an organization will use for assigning IPv6 addresses to nodes.
Static IPv6 Addressing
Most organizations will want to statically configure IPv6 address parameters on specific systems in the network's environment. Static address configuration may be preferred for systems that are needed to have a fixed, non-changing IPv6 address or for nodes that are unable to perform dynamic address assignment. The systems in the networks that will most likely use this static IPv6 addressing technique are servers and systems within data center environments. These servers could be on an internally-accessible network or an Internet publically-accessible network. Cloud-based systems will also want to have static IPv6 addresses even though the services are virtualized.
Servers within a data center environment would need to be configured with the following information to be able to operate correctly in an IPv6 environment:
- Static IPv6 address for its network interface
- This address would be allocated from the IPAM system and registered within the DNS system with an AAAA resource record and an accompanying PTR record.
- Static IPv6 default gateway
- This could either be a global unicast address of the first-hop router or the Link-Local address of the first-hop router (e.g. FE80::1).
- Static DNS server
- This is the caching DNS resolver this system will use when it needs to perform a DNS query (e.g. configured within the /etc/resolv.conf)
- DNS Domain Name
- This is the domain name that the system will use in combination with the server's hostname to create its fully-qualified domain name (FQDN)
Typically, servers will have a static IPv6 address assigned, but still use the information contained in the ICMPv6 (type 134) Router Advertisement (RA) message sent by the first-hop router to provide the server information about the default gateway. RA messages contain the link-local address and the layer-2 (MAC) address of the first-hop router. Servers can listen to this and use this information to auto-configure their default gateway.
However, there are known vulnerabilities and security issues with allowing systems to dynamically learn this information through the RA messages. Therefore, some organizations will elect to disable sending RSs and receiving RAs on servers to prevent these types of Rogue-RA attacks. In this case, the servers will need to have their default gateway manually configured using either the global unicast address or the Link-Local address of the first-hop router.
Next week: Dynamic IPv6 addressing with SLAAC