Troubleshooting Tip: DHCPv6 Prefix Delegation

Some ISPs can provide an IPv6 address through a dynamic addressing mechanism and additionally delegate an IPv6 prefix to LAN using DHCPv6.

IPv6 protocol enables dynamic configuration of host IPv6 addressing with two mechanisms called SLAAC and DHCPv6.

Each has its own unique advantages and disadvantages. The recommended way to get a complete addressing mechanism in IPv6 is to use both mechanisms simultaneously to receive the benefits of both.

This article describes the mechanisms and with the most obvious disadvantages:

SLAAC (Stateless Address Autoconfiguration):

• The Prefix is provided with RA (Router Advertisement) messages, as well as the default gateway, prefix lifetime, and Flags M (Managed address configuration) and O (Other configuration).
• End stations automatically generate the Interface ID (lower 64 bits) of the address as a EUI-64 address based on the station MAC address.
• This mechanism does not provide DNS information (resolver(s) or local domain-search).
• RFC 6106 specifies new extensions to SLAAC that allow DNS information to be included in RAs. (Optional).

DHCPv6:

• DHCPv6 operates similarly to DHCPv4 in that the end station retrieves the ipv6 address from the server.
• Similar to IPv4, the end stations receive the complete addressing (ipv6 prefix + Interface ID).
• The end station discards the IPv6 prefix received by RA.
• The DHCPv6 provides DNS information.
• DHCPv6 servers do not provide gateway information.

The default gateway is obtained from the Router Advertisement messages.

To get the best results on both mechanisms, it is necessary to use the SLAAC with the Flags set M and O in order for the end-stations to retrieve the default gateway from SLAAC, and to look for a DHCPv6 server through the flag M.

The flag O provides DNS information from the DHCPv6.

Additionally, RFC3633 provides an additional mechanism for automated delegation of IPv6 prefixes using the DHCPv6.

FortiOS allows IPv6 addressing using Stateful DHCPv6 server configuration (SLAAC + DHCPv6) and DHCPv6 Prefix Delegation.

The following topology will be used to demonstrate the Stateful DHCPv6 and Prefix Delegation, where the Router default gateway and DHCPv6 server are located on the Internet side on vlan211.

The following is the FortiOS 6.X CLI configuration:

IPv6 Prefix on WAN (vlan211): 2001:db8:72b1:8ca9::/64

IPv6 Prefix on LAN (vlan237): 2001:db8:72b1:8caa::/64

config system interface
    edit "vlan211"
        set vdom "root"
        set device-identification enable
        set role wan
        set snmp-index 13

        config ipv6
             set ip6-mode dhcp <----- IPv6 addressing by DHCPv6.
             set ip6-allowaccess ping
             set dhcp6-prefix-delegation enable
             set dhcp6-prefix-hint 2001:db8:72b1:8ca9::/64 <----- Prefix IPv6 delegated.
        end

        set interface "port2"
        set vlanid 211
    next
end

config system interface
    edit "vlan237"
        set vdom "root"
        set device-identification enable
        set role lan
        set snmp-index 14

        config ipv6
             set ip6-mode delegated
             set ip6-allowaccess ping
             set ip6-send-adv enable <----- FortiGate will send RA to end stations.
             set ip6-manage-flag enable <-- Set flag "M"
             set ip6-other-flag enable <-- Set flag "O"
             set ip6-upstream-interface "vlan211"
             set ip6-subnet ::1/64 <----- Set the 'Interface ID' used with the IPv6 prefix delegated.

             config ip6-delegated-prefix-list
                 edit 1
                     set upstream-interface "vlan211"
                     set subnet 2001:db8:72b1:8caa::/64 <----- Prefix IPv6 delegated.

                 next
             end
        end

        set interface "port2"
        set vlanid 237
    next
end

config system dhcp6 server
    edit 1
        set interface "vlan237"
        set upstream-interface "vlan211"
        set ip-mode delegated
        set dns-server1 2804:14d:1:0:181:213:132:2 <----- DNS resolvers to use on LAN.
        set dns-server2 2804:14d:1:0:181:213:132:3
    next
end

The following is the FortiOS 7.X CLI configuration:

IPv6 Prefix on WAN (vlan211): 2001:db8:72b1:8ca9::/64

IPv6 Prefix on LAN (vlan237): 2001:db8:72b1:8caa::/64

config system interface

edit "vlan211"

set vdom "root"

set device-identification enable

set role wan

set snmp-index 13

config ipv6

set ip6-allowaccess ping

set dhcp6-prefix-delegation enable

set autoconf enable

config dhcp6-iapd-list

edit 6  <- The IAID is gained from the ISP.

set prefix-hint 2001:db8:72b1:8ca9::/64

next

end

end

set interface "port2"

set vlanid 211

next

end

config system interface

edit "vlan237"

set vdom "root"

set device-identification enable

set role lan

set snmp-index 14

config ipv6

set ip6-mode delegated

set ip6-send-adv enable

set ip6-manage-flag enable

set ip6-other-flag enable

set ip6-delegated-prefix-iaid 6

set ip6-upstream-interface "vlan211"

set ip6-subnet ::1/64

config ip6-delegated-prefix-list

edit 1

set upstream-interface "vlan211"

set delegated-prefix-iaid 6

set subnet 2001:db8:72b1:8caa::/64

set rdnss-service default

next

end

end

set interface "port2"

set vlanid 237

next

end

FortiOS CLI commands to review FortiGate Operation.

• Both interfaces receive the IPv6 address through DHCPv6.

diagnose ipv6 address list | grep vlan
dev=19 devname=vlan211 flag=P scope=0 prefix=128 addr=2001:db8:72b1:8ca9::1002 preferred=4294967295 valid=4294967295 cstamp=68813355 tstamp=68840185
dev=19 devname=vlan211 flag=P scope=253 prefix=64 addr=fe80::247:77ff:fe79:3302 preferred=4294967295 valid=4294967295 cstamp=4055376 tstamp=4055376
dev=20 devname=vlan237 flag= scope=0 prefix=64 addr=2001:db8:72b1:8caa::1 preferred=602867 valid=2590067 cstamp=68840185 tstamp=107001582
dev=20 devname=vlan237 flag=P scope=253 prefix=64 addr=fe80::247:77ff:fe79:3302 preferred=4294967295 valid=4294967295 cstamp=8705106 tstamp=8705106

• The Default Gateway is obtained from RA messages and uses the link-local address from the Router.

diagnose ipv6 route list | grep gwy
vf=0 type=01(unicast) protocol=2(kernel) flag=00450000 prio=1024 gwy:fe80::247:77ff:fe79:3502 dev=19(vlan211) pmtu=1500

• The following is the DHCPv6 lease info from the end stations. 

execute dhcp6 lease-list
Interface DUID IAID IP/Prefix Expiry
vlan237 00:04:93:e4:5e:96:f2:2b:c3:58:76:68:da:f7:92: 1919819010 2001:db8:72b1:8caa::2 Fri Mar 25 14:27:01 2022

To debug a DHCPv6 renew IPv6 address:

• Unset and set dhcp6-prefix-hint again.
• Run a debug on FortiGate and a sniffer on the WAN simultaneously.

config system interface

edit vlan211

config ipv6

unset dhcp6-prefix-hint

end

config system interface

edit vlan211

config ipv6

set dhcp6-prefix-hint 2001:db8:72b1:8caa::/64

end

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application dhcp6c 255
diagnose debug enable

Debug messages will be enabled for 30 minutes.

• The following debug log only shows the DHPv6 messages SARR (Solicit, Advertise, Request, Reply).

2022-03-21 11:59:29 [debug]client6_send() send solicit to ff02::1:2%vlan211
2022-03-21 11:59:29 [debug]dhcp6_reset_timer() reset a timer on vlan211, state=SOLICIT, timeo=0, retrans=1082
2022-03-21 11:59:29 [info]client6_mainloop() timeout=10 sec, cfd=8, kfd=9
2022-03-21 11:59:29 [info]client6_mainloop() msg received, sock =11
2022-03-21 11:59:29 [debug]client6_recv() receive advertise from fe80::247:77ff:fe79:3502%vlan211 on vlan211
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option identity association, len 40
2022-03-21 11:59:29 [debug] IA_NA: ID=19, T1=3600, T2=7200
2022-03-21 11:59:29 [debug]copyin_option() get DHCP option IA address, len 24
2022-03-21 11:59:29 [debug]copyin_option() IA_NA address: 2001:db8:72b1:8ca9::1002 pltime=604800 vltime=2592000
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option IA_PD, len 41
2022-03-21 11:59:29 [debug] IA_PD: ID=19, T1=3600, T2=7200
2022-03-21 11:59:29 [debug]copyin_option() get DHCP option IA_PD prefix, len 25
2022-03-21 11:59:29 [debug]copyin_option() IA_PD prefix: 2001:db8:72b1:8caa::/64 pltime=604800 vltime=2592000
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option client ID, len 10
2022-03-21 11:59:29 [debug] DUID: 00:03:00:01:00:47:77:79:33:02
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option server ID, len 14
2022-03-21 11:59:29 [debug] DUID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option DNS, len 16
2022-03-21 11:59:29 [debug]dhcp6_get_options() get DHCP option domain search list, len 18
2022-03-21 11:59:29 [debug]client6_recvadvert() server ID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02, pref=-1
2022-03-21 11:59:29 [debug]client6_recvadvert() reset timer for vlan211 to 0.969465
2022-03-21 11:59:29 [debug]dhcp6_check_timer() called
2022-03-21 11:59:29 [info]client6_mainloop() timeout=10 sec, cfd=8, kfd=9
2022-03-21 11:59:40 [debug]dhcp6_check_timer() called
2022-03-21 11:59:40 [debug]select_server() picked a server (ID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02)
2022-03-21 11:59:40 [debug]client6_send() a new XID (45cf4a) is generated
2022-03-21 11:59:40 [debug]copy_option() set client ID (len 10)
2022-03-21 11:59:40 [debug]copy_option() set server ID (len 14)
2022-03-21 11:59:40 [debug]copyout_option() set IA address
2022-03-21 11:59:40 [debug]copyout_option() set identity association
2022-03-21 11:59:40 [debug]copy_option() set elapsed time (len 2)
2022-03-21 11:59:40 [debug]copy_option() set option request (len 4)
2022-03-21 11:59:40 [debug]copyout_option() set IA_PD prefix
2022-03-21 11:59:40 [debug]copyout_option() set IA_PD
2022-03-21 11:59:40 [debug]client6_send() send request to ff02::1:2%vlan211
2022-03-21 11:59:40 [debug]dhcp6_reset_timer() reset a timer on vlan211, state=REQUEST, timeo=0, retrans=922
2022-03-21 11:59:40 [info]client6_mainloop() timeout=10 sec, cfd=8, kfd=9
2022-03-21 11:59:40 [info]client6_mainloop() msg received, sock =11
2022-03-21 11:59:40 [debug]client6_recv() receive reply from fe80::247:77ff:fe79:3502%vlan211 on vlan211
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option identity association, len 40
2022-03-21 11:59:40 [debug] IA_NA: ID=19, T1=3600, T2=7200
2022-03-21 11:59:40 [debug]copyin_option() get DHCP option IA address, len 24
2022-03-21 11:59:40 [debug]copyin_option() IA_NA address: 2001:db8:72b1:8ca9::1002 pltime=604800 vltime=2592000
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option IA_PD, len 41
2022-03-21 11:59:40 [debug] IA_PD: ID=19, T1=3600, T2=7200
2022-03-21 11:59:40 [debug]copyin_option() get DHCP option IA_PD prefix, len 25
2022-03-21 11:59:40 [debug]copyin_option() IA_PD prefix: 2001:db8:72b1:8caa::/64 pltime=604800 vltime=2592000
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option client ID, len 10
2022-03-21 11:59:40 [debug] DUID: 00:03:00:01:00:47:77:79:33:02
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option server ID, len 14
2022-03-21 11:59:40 [debug] DUID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option DNS, len 16
2022-03-21 11:59:40 [debug]dhcp6_get_options() get DHCP option domain search list, len 18
2022-03-21 11:59:40 [debug]info_printf() nameserver[0] 3ffe:501:ffff:100:200:ff:fe00:3f3e
2022-03-21 11:59:40 [debug]info_printf() Domain search list[0] lab.fortinet.com
2022-03-21 11:59:40 [debug]client6_process() dynamic dns1=[3ffe:501:ffff:100:200:ff:fe00:3f3e]

2022-03-21 11:59:40 [debug]get_ia() make an IA: PD-19
2022-03-21 11:59:40 [debug]update_prefix() create a prefix 2001:db8:72b1:8caa::/64 pltime=604800, vltime=2592000
2022-03-21 11:59:40 [debug]get_ia() make an IA: NA-19
2022-03-21 11:59:40 [debug]update_address() create an address 2001:db8:72b1:8ca9::1002 pltime=604800, vltime=2592000
2022-03-21 11:59:40 [debug]dhcp6_remove_event() removing an event on vlan211, state=REQUEST
2022-03-21 11:59:40 [debug]dhcp6_remove_event() removing server (ID: 00:01:00:01:29:c5:7a:5d:00:47:77:79:35:02)
2022-03-21 11:59:40 [debug]client6_recvreply() got an expected reply, sleeping.
2022-03-21 11:59:40 [debug]dhcp6c_resource_update() dhcp6client: checking if needed to reinterfaceure

• The sniffer packet:

• The following Debian configuration is used only for lab purposes on the server and the PC:

Debian-server

ip address add 2804:14d:72b1:8ca9::ffff/64 dev vlan211 <-- Configure the IPv6 address on the WAN prefix.

cat /etc/radvd.conf  <-- Use radvd.conf for the RA message.
interface vlan211 {
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;

prefix 2001:db8:72b1:8ca9::/64 {  <-- RA prefix on WAN.
};
RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 { }; <-- RFC 6106.
};

systemctl start radvd  <-- Start the radvd service.

cat /etc/dhcp/dhcpd6.conf  <-- DHCPv6 file configuration.
default-lease-time 2592000;
preferred-lifetime 604800;
option dhcp-renewal-time 3600;
option dhcp-rebinding-time 7200;
allow leasequery;

option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:3f3e;
option dhcp6.domain-search "lab.fortinet.com";

option dhcp6.info-refresh-time 21600;

The subnet where the server is attached:

subnet6 2001:db8:72b1:8ca9::/64 {
range6 2001:db8:72b1:8ca9::1001 2001:db8:72b1:8ca9::1002;

Some /64 prefixes are available for Prefix Delegation (RFC 3633).

prefix6 2001:db8:72b1:8caa:: 2001:db8:72b1:8cab:: /64;
}

/usr/sbin/dhcpd -6 -d -cf /etc/dhcp/dhcpd6.conf vlan211    <-- Run the dhcpv6 server on foreground mode.

Debian-pc

cat /etc/network/interfaces

iface vlan237 inet6 dhcp
accept_ra 2
request_prefix 1