IPv6 explained - SLAAC and DHCPv6 (IPv6 from scratch part 2)
Vložit
- čas přidán 2. 06. 2024
- More basics of IPv6 explained - how does IPv6 Multicast work, More about IPv6 ICMP (ICMPv6), Router Solicitation and Router Advertisements. We'll have a look at SLAAC and DHCPv6. Follow up on my first "IPv6 from Scratch" episode.
The IPv6 cheat sheet is here: github.com/onemarcfifty/cheat...
You can watch the first episode here: IPv6 from scratch - the very basics of IPv6 explained • IPv6 from scratch - th...
0:00 Intro
1:52 multicast addresses
3:46 icmp vs. other protocols
4:45 icmp types
7:39 Router Solicitation
9:14 DHCPv6 vs. SLAAC
15:11 how about Dual Stack ?
CZcams: / onemarcfifty
Twitter: / onemarcfifty
Discord: / discord
Github: github.com/onemarcfifty
Patreon: / onemarcfifty
Blog: www.onemarcfifty.com - Věda a technologie
A couple of points about Wireshark: While you used a display filter, there are also capture filters. The display filters what you have received, so that you see only what you're looking for, but other stuff has also been captured. A capture filter controls what's captured. Of course, you can use both for maximum flexibility. Also, I have Wireshark configured with panels 2 & 3 on the same level, with 3 occupying only the minimum space required, leaving the rest of the space for panel 2. I have panel 1 at the top, taking full width. I find this provides the most info, with the best use of display space.
Any ISP that changes the prefix daily is incompetent. There is an RFC, I don't recall the number at the moment, that says the prefix should be consistent. I've had the same prefix for a few years, surviving replacing both the cable modem and the computer I run my firewall/router (pfSense) on. With SLAAC privacy addresses the suffix changes daily, which should take care of security concerns. For servers, you'd use the SLAAC persistent address, often based on the MAC, which the DNS can point to. One important point to remember with IPv6 is the address space is so sparse, it's hard to find a target, even if they know the prefix. A single /64 prefix, which is what's on a LAN, contains 18.4 billion, billion addresses. It would take a *LOT* of scanning for an attacker to find a target.
Also, Android devices won't work with DHCPv6.
As for multicast, as you mentioned, recipients must belong to the multicast group. However, some are automatic. For example, all devices belong to the all nodes group and all routers belong to the routers group, etc.. There is also a special multicast type, used for neighbour solicitation. It's called solicited node multicast, where the 24 right most bits of the target address are used for the right most address bits of the multicast group. This means there's only a 1 in 16 million (2^24) chance of an unwanted device responding to the multicast.
Hi James, many thanks for your thorough feedback. I'll pin the comment as it contains a lot of useful information!
I hope I speak for everyone when I say - YAY a third video in the series. This has been my first introduction to your content and I find it a very nice overview of IPv6 thank you!
Hi Paul - that's great, thanks so much for the nice feedback!
Absolutely terrific explanations. I love how you made analogies to Radio and emergency numbers for multi-cast and any-cast. Terrific!
Hey Brian, many thanks ;-) Your comment proves that you have watched it until the end ;-)
Thank you for taking the time to put this together. I have to admit, for several years part of me has been wishing that IPv6 will just "go away" and be replaced with something that's a bit easier to understand. However, since this isn't going to realistically happen, I'm diving head first into your guides. I'm patiently waiting for your "Best way to do all of this in OpenWRT" video before enabling anything as I don't wish to inadvertently create a security hole or bridge an isolated subnet/VLAN. Thanks again!
Hey, many thanks for the feedback - yes, I think we all felt (or feel) the same about IPv6. It's somehow similar to IPv4, yet strangely different. And as you say - we've got to take what we get ;-)
NUTS!!! You beat me to having the first reply. When I started my post, there were no other replies. However, I added to it, as the video progressed.
When you find something difficult; things don't get replaced in IT. They just create an interface where the end user loses the chance to deal directly with the technology. At the end; things become even more complex and less friendly to those who actually want to learn.
It's better to put some effort. In the long run; it is actually easier to control.
This is amazing series. Can't wait for next episode.
Hi Robert, thank you very much ;-)
我太爱这个视频了,能聆听网络专家的讲解是我的荣幸!
谢谢你!
Großartiges Video. Wie immer. Ist wirklich Klasse wenn du weiter IP6 ausbaust in einer Serie.
Hi, vielen Dank.
Excellent video! Love the idea of demystifying IPv6.
Hi Josh, yeah - "demystifying IPv6" - that would have been a great title for the series ;-)
I have never been interested in IPv6 very much before watching your videos, but actually it's very interesting. thank you very much :D
Thank you. It was worth the wait.
Thank you very much. Glad you liked the video ;-)
Great video Marc ! This was really informative. I love the idea of making a long series about this as it will be useful in the near future as we move slowly from IPv4 and given the fact that IPv6 has been around for so long yet we know very little about it makes it even more interesting.
Hi Vibhu, thank you very much. we'll see how many viewers the series attracts. There's still a large amount of people who have a deny-by-default attitude towards IPv6 ;-)
I really love this series and how you made it relate to real-life applications.
I'm definitely going to expermiment w/ ipv6 in my homelab now.
Awesome, keep me updated ;-)
All your videos are great man!
Hi Elvio, thank you very much.
Thanks for the Videos about IPv6.
I have had the same problem with v6, to find similar points like v4.
This two IPv6 Videos open my eyes.
I also enjoy your OpenWRT Videos, learned a lot by watching them.
Gruß aus Köln.
Hi, I am really happy that you liked the videos - and even more happy if they could help you. Thanks for your friendly feedback!
thank you so much for you videos such a precious content and your simplified explanation .Much respect and support from morocco
So much detailed information presented succinctly and logically. Excellent, thanks!
Hi Nick, thank you very much ;-)
Thank you for making this video and sharing it with all of us! I am, of course, subscribed with notifications turned on, and thumbs up!
Great videos Marc
Thank you very much Jan
Thank you for part 2 😀❤️
Hi, you're welcome - thanks for watching
@@OneMarcFifty Thank you for replying Marc. ❤️
Your videos are getting better over the time. Congrats! But i'm unable to see wheres the next part😅
My ISP is now providing IPv6 on my main modem/router. My Openwrt router is connected to main router but i dont know how to configure IPv6 in downstream. Waiting for IPv6 configuration on OpenWRT
Hi, it will come very soon ;-)
@@OneMarcFifty thanks for response. Just want to mention, how ISP should allocate IPV6? I see a /64 subnet allocated to ONT. i managed to assign /128 IPV6 to devices by using repay mode in wan and lan interfaces but note sure if its sufficient
@@OneMarcFifty thanks so much! Same issue, can't wait. :)
Great video Mark. When can we expect the next video on dual stack? Also could you put the series of videos in a playlist?
Thank you so much. I am beginning to understand now!
Hey Karolis, that's awesome ;-) Thanks for feeding back.
Waiting the video about how setup properly IPv6 on OpenWRT 🙂
Hi, many thanks for the comment - it's going to come soon ;-)
It would be really good if the openwrt setup included cascading routers. Eg Edge Router for a DMZ and internal routers for home/iot etc.
Hi! Thanks for this video. Your presentation was very understandable. You mentioned Dual-Stack. Since you have also made Proxmox videos... How about a video zu incorporate IPv6 into an existing infrastructure... All videos I've seen so far don't address this (or they have all VMs on their router backbone). My Proxmox has 6 internal networks on separate virtual NICs and each network has it's own subnet. What does one have to do and configure, so that all the VMs and containers get an proper IPv6 address and that the routing works (also from and to the outside world). Thanks again!
I'm waiting on the next episode 😎
It's out already. You should find it on my channel page ;-)
Thank you very much for your effort! It was a great explanation! Really funny how I'm just now trying to implement v6 in our OpenStack Cloud XD
Awesome - let me know how it goes ;-)
I will definitely need to watch it again, I need to really simulate the examples you showed here with a local IPV6 network and then see what I can simulate with the dynamic IPv6 address my provider assigns to my router. Nevertheless, thank you so much again for sharing the great knowledge!
Hi jairu, many thanks for the feedback. I think the effect on most viewers is - like you say - I am going to try things out ;-) That's great ;-)
Good vid!
Thank you! ♥
Hi, you're welcome. Thanks for watching.
Thank you for continuing this series of videos on IPv6. I like your approach of teaching it as a knowledge building experience rather than just presenting everything about IPv6 in a bulk data dump, with no reference for using the various components.
One thing I noticed that you did not touch on is EUI-64 addressing. Is this now considered less secure, and so its use is discouraged?
One other comment. I’ve noticed that on my home network (dual stack) using SLAAC for IPv6 addressing, it is much more difficult to identify the devices on the network. In the IPv4 DHCP world, or with IPv4 static IP addressing, it is much easier to identify the devices based on IPv4 address. For IPv6 and SLAAC, and dual stack, I find myself looking at the MAC address of the device, and then looking up its IPv4 address in the ARP table to figure out which device it is. Is there a better way of doing this and remaining in the IPv6 realm?
Hi, w/r to EUI-64 and whether it is secure or not - the clear answer is "it depends" ;-) The real question is - do you prefer having (1) a repeatably identifiable address or do you prefer (2) dynamic ("obfuscated") IPv6 address generation? If (1) then you can use EUI64 or DHCPv6. If (2) then use SLAAC with privacy extensions. It's really more about privacy than security. However, tracking these days is not done with the IP address. There are many mechanisms on the application layer (Browser fingerprinting etc.). W/r to identifying the workstation - real question here is why you would want to identify it or rather what for. Is a station doing something that it should not do ? In this case I think its OK to just dig a bit into MAC etc. or is it a Server / Container that you need to identify? If you need to have a fixed address in order to identify and access the station, then again you might use the mechanisms described above or even use an additional ULA that you could hand out with DHCPv6. If you want to track back on demand then probably a little script could help (ip neigh....)
Keep in mind that Android has a major flaw in that it does not work with dhcpv6!! There's a ticket that's been open for nearly 14 years.
Hi Brian, many thanks for sharing this. Ah - 14 years only ? Should be solved by 2037 then ;-)
It works just fine with SLAAC for a phone
Great video and good explanation as usual Mark,i would like to see a video about configuring an Open Portal on Opnwrt as well.Thanks and keep up the good work,like and subscribed👍🏻
Hi George, you mean a captive portal, right? I.e. ask the user to consent to rules or potentially pay before they can use the network ? I have actually been thinking about using this to do VPN on demand ;-)
@@OneMarcFifty yes Mark,just a simple one where user agree to terms and conditions and get access to internet(of course there are more options like paid vouchers,radius authentication etc etc)
Thanks again for reply👍🏻
OK, I see - you may want to have a look at OpenNDS openwrt.org/docs/guide-user/services/captive-portal/opennds - the video will take a while ;-(
May I ask what software you use to make your videos, they are really great!
Awesome
Thanks mate ;-)
And don't be sorry about another couple of videos on v6! v6 is totally underrated and needs all the attention it can get!
Noted ;-)
How about the IPv4 / IPv6 dual stack video? 😛
I am watching from my phone which screen is very tiny, not letting me see the details from Wireshark. Hopefully, I will have the chance to watch this video from my desktop. And yes, coming from IP V4, this is like magic, especially dynamic address server configuration, a real headache.
Hi, many thanks for the feedback - and also many thanks for the hint with the phone screen. I'll add more zooms in the future if there is a lot of info on the screen.
Do you know anything about net neutrality
ping6 ff02::1 (or ff02::2 for that matter) doesn't work on my home network, although that has ipv6 full enabled on all machines (and I am connected by dual-stack to the internet). I tried it on a raspberry and a macOS machine.
Edit: never mind. Found that one needs to specify the interface to use (which kind of makes sense) for this to work: ping6 ff02::1%en0.
Interestingly when I try to ping ff02::1 or ff02::2, it never works on any of my linux boxes or Macs but will only work on my openwrt routers
Hi Joe, I have seen different results on different machines. I would need to dig deeper in order to figure out if it is the switch filtering or not. Are they all on the same switch ?
@@OneMarcFifty Two cascaded routers. Two different unmanaged switches. I spun up a new openwrt router and connected my linux mint computer directly to the LAN port of the new router and I get the same result. Also my iPhone won't work ping ff02::1 either
Sounds like you have a really high interest loan. You should be trying to reconsolidate into something better. Get the smallest possible payment, and then do double payments every month and it will go down much faster since every payment above the minimum reduces the principal.
can anyone provide good material how to set ipv6 lan with raspberry pi as a router?
Hi Pawel, if you want to install OpenWrt on it, maybe have a look at this video : czcams.com/video/jlG_nrCOmJc/video.html
One thing to note is that Android *does not* and *will not* support DHCPv6 because Google doesn't want to support it ...
Hi Felix, many thanks for pointing this out.
Too bad my router blocks those fun ff02 addresses
How do you use dhcpv6 with Android ? 😂