Community discussions

MikroTik App
 
CyberaxIzh
just joined
Topic Author
Posts: 9
Joined: Fri Mar 19, 2021 8:30 am

IPv6 DHCPv6 server?

Fri Mar 19, 2021 8:33 am

Hi!

As I understand, RouterOS right now only supports DHCPv6 PD and not the stateful client DHCPv6?

It would be nice to support it as well, so that the individual client bindings can be inspected through the console/API.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 DHCPv6 server?

Sat Mar 20, 2021 2:50 am

As I understand, RouterOS right now only supports DHCPv6 PD and not the stateful client DHCPv6?

It would be nice to support it as well, so that the individual client bindings can be inspected through the console/API.
MikroTik did say at one point that they planned to eventually support stateful DHCPv6 server on RouterOS, which would mean the ability to create not only pools of prefixes but pools of addresses. However, that was before Google clarified that they would *never* support stateful DHCPv6 on any Android platform b/c SLAAC is better. If you need to run any Android based devices on the network, you will need to also run SLAAC, and if you do both stateful DHCPv6 and SLAAC there is really no major advantage vs. just running SLAAC.

I think unfortunately stateful DHCPv6 is dead for all intents and purposes, because of Google. As a result, I'm not sure if MikroTik still plans to put the effort in to support it.
 
CyberaxIzh
just joined
Topic Author
Posts: 9
Joined: Fri Mar 19, 2021 8:30 am

Re: IPv6 DHCPv6 server?

Sat Mar 20, 2021 4:13 am

I've several devices that can't really use SLAAC because you need to know their address to connect to them. Some of them are UPS management cards. With DHCPv6 (which I have now in OpenWRT) I can just find them by name and assign them a static IPv6 and/or add DNS registration for them.

Anyway, statefull DHCPv6 would be a very useful addition with no real additional complexity. Mikrotik already has most of the components for it.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 DHCPv6 server?

Sat Mar 20, 2021 5:00 am

I've several devices that can't really use SLAAC because you need to know their address to connect to them. Some of them are UPS management cards.
When you have SLAAC with no privacy extensions, which is the case for most such devices, the SLAAC addresses are essentially static - they won't change. The UPS management card you have is probably building a global address from EUI-64. There's no need for privacy extensions on such devices, and so you can create a DNS record that resolves to that address without having to worry about the address changing.
 
CyberaxIzh
just joined
Topic Author
Posts: 9
Joined: Fri Mar 19, 2021 8:30 am

Re: IPv6 DHCPv6 server?

Sun Mar 21, 2021 10:39 am

When you have SLAAC with no privacy extensions, which is the case for most such devices, the SLAAC addresses are essentially static - they won't change. The UPS management card you have is probably building a global address from EUI-64. There's no need for privacy extensions on such devices, and so you can create a DNS record that resolves to that address without having to worry about the address changing.
It actually doesn't do SLAAC at all, apparently (except obviously for router and DHCPv6 discovery). I can configure a static IPv6, but I need to support dynamic prefixes (for failover reasons) so this is not acceptable.

I guess I'll stick with OpenWRT for the internal network. Oh well. One less router sold for Mikrotik.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 DHCPv6 server?

Mon Mar 22, 2021 4:42 am

It actually doesn't do SLAAC at all, apparently (except obviously for router and DHCPv6 discovery).
That is really strange. I've never encountered a device that only supported DHCPv6 client and not SLAAC, and we use many devices. I have seen a few devices where (confusingly) you have to put it in DHCPv6 client mode to get a SLAAC address. If you put the device in question into DHCPv6 client mode, does it get an address via SLAAC?
 
CyberaxIzh
just joined
Topic Author
Posts: 9
Joined: Fri Mar 19, 2021 8:30 am

Re: IPv6 DHCPv6 server?

Tue Mar 23, 2021 7:21 am

That is really strange. I've never encountered a device that only supported DHCPv6 client and not SLAAC, and we use many devices. I have seen a few devices where (confusingly) you have to put it in DHCPv6 client mode to get a SLAAC address. If you put the device in question into DHCPv6 client mode, does it get an address via SLAAC?
I've tried all permutations of IPv6 configuration options (there are just two: "automatic", and "static IPv6"). I can ping the device over the link-local address, but for some reason it doesn't accept SLAAC. It works over stateful DHCPv6 on OpenWRT.

I'll try to upgrade its firmware and see if it helps.

I also still do like to be able to manage devices over the DHCPv6. I would even add this functionality if Mikrotik allowed custom NPKs.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 DHCPv6 server?

Tue Mar 23, 2021 8:29 am

I've tried all permutations of IPv6 configuration options (there are just two: "automatic", and "static IPv6"). I can ping the device over the link-local address, but for some reason it doesn't accept SLAAC. It works over stateful DHCPv6 on OpenWRT.

I'll try to upgrade its firmware and see if it helps.

I also still do like to be able to manage devices over the DHCPv6. I would even add this functionality if Mikrotik allowed custom NPKs.
Honestly, the device not supporting SLAAC is really an issue with the device. Most likely the manufacturer just assumed IPv6 is the same as IPv4 and didn't know SLAAC existed or didn't know that it was the normal way of assigning addresses with IPv6. I've only had one device that didn't support SLAAC (only supported DHCPv6) but the DHCPv6 option actually worked with SLAAC but gave a confusing error message in the log that it couldn't receive an address via DHCPv6. I asked the vendor about it and the response was that they barely knew how IPv6 worked and just assumed that the only options for address allocation were static or DHCP, like in IPv4. They added SLAAC in a later firmware update after I asked them to fix it.

DHCPv6 doesn't give you the controls that you think it would when devices do not support it - normally it is the case that devices do not support DHCPv6 client but support SLAAC. Then you have to enable both to support those, and devices that get DHCPv6 addresses will also get SLAAC addresses that you don't know about, and a lot of the point of DHCPv6 goes away because you end up having to allow both.
 
kalamaja
Member Candidate
Member Candidate
Posts: 112
Joined: Wed May 23, 2018 3:13 pm

Re: IPv6 DHCPv6 server?

Tue Mar 23, 2021 9:52 am

Possiblity to somehow manage DNS names for devices has been biggest request from my clients also when talking about deploying Mikrotik+IPv6.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 DHCPv6 server?

Tue Mar 23, 2021 1:58 pm

Problem is that quite some OSes (e.g. Windows) will use different short-lived IPv6 addresses (even multiple at any given time), constructed in SLAAC manner, and will use those addresses at will. This mostly matters for out-going connections but that means you can't rely on IPv6 address only to control what device can do and what not. A well-known address (either statically set of via DHCPv6 procedure) takes care of incoming connections though.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: IPv6 DHCPv6 server?

Tue Mar 23, 2021 2:06 pm

I think the reason we haven't seen the push for stateful DHCPv6 is because enterprises haven't adopted IPv6 in any kind of significant way. There are challenges with compliance standards like PCI, HIPAA, FIPS, etc in using SLAAC. Most security groups aren't equipped to manage a SLAAC environment.

Once enterprise adoption happens, you'll see a big push for DHCPv6 stateful across vendors and platforms and I suspect even Google will relent and add support for it. I think MikroTik should get ahead of this trend and add it.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 DHCPv6 server?

Tue Mar 23, 2021 7:49 pm

There are other solutions to this problem without bringing stateful DHCPv6 into the mix.

We run SLAAC on our internal office network, and the Windows machines joined to Active Directory automatically update the Windows DNS records to include all of the SLAAC IPs used by the system, including the privacy extensions IPs. This happens automatically and can be used for tracking for such systems. Of course, this will not include systems that are not part of the AD domain, so this is not a solution for all cases. However, we may see a more standardized system for doing this that works across vendors and is more automatic, whether handled by the client or by the router.

There is also RFC 8273 which introduces giving each host its own unique /64 prefix to facilitate the grouping of permanent and temporary IPv6 global addresses. The /64 prefixes can be tracked to individual clients and be used to apply firewall and other policies.

We manage some Fortigate routers on IPv6 and they have their own built in way of managing the SLAAC IPv6 access. We can see a list of hosts and their IPv4 and IPv6 addresses grouped under the host. We can then create a firewall rule to prevent "DESKTOP-24" for example from being able to connect to Facebook, and this will work for the IPv4 and IPv6 addresses for the device since the Fortigate is tracking all that. It works pretty well when it comes to firewalling. I am not exactly how they identify the device name, but they must have some kind of specialized feature for this instead of relying on DHCPv4 since it seems to work even with devices that are on static IPs.

MikroTik has already partially implemented device tracking in the form of their kid-control feature. If they were to expand this to track IPv6 addresses for a single host in a similar way to what Fortigate does, and add some type of device groups feature, it would become possible to do firewalling based on the device in a similar manner to Fortigate's solution.

I've read through all the discussion threads with Google's top engineers and they absolutely refuse to relent and support DHCPv6 stateful client on Android. I can't see them changing their mind unless management overrides their top engineers and orders them to do something that they are convinced is the wrong approach, which is not a good way of keeping their engineers happy.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 DHCPv6 server?

Tue Mar 23, 2021 8:24 pm

The Google engineer makes his case for the best way to track IPv6 address usage by host in RFC 7934 section 9.1:

https://tools.ietf.org/html/rfc7934#page-9
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: IPv6 DHCPv6 server?

Wed Mar 24, 2021 2:58 pm

The Google engineer makes his case for the best way to track IPv6 address usage by host in RFC 7934 section 9.1:

https://tools.ietf.org/html/rfc7934#page-9
i agree. android doesn't even has DHCPv6 support built in.

sometimes i'd like to use stateful DHCPv6 to hand out addresses to CPEs that are 'discovered' in the network. but i ultimately settled with PD and using ipv6 pool based address autoconfiguration in routerOS to get a GUA assigned to the CPE WAN interface for remote management purposes.
but in a network running OSPFv3 over LL addressed links the 'serial number derived address auto configuration' i implemented in our FWA mesh network gets this done without DHCP in a very reliable way.
 
CyberaxIzh
just joined
Topic Author
Posts: 9
Joined: Fri Mar 19, 2021 8:30 am

Re: IPv6 DHCPv6 server?

Thu Mar 25, 2021 3:15 am

The Google engineer makes his case for the best way to track IPv6 address usage by host in RFC 7934 section 9.1:
https://tools.ietf.org/html/rfc7934#page-9
Well, the story ended happily. We just disabled IPv6 in our network entirely. It's not like anybody needs it right now.

About ND-based host tracking, I don't think it can be hooked up to DNS management or even to monitoring with user-friendly names.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 DHCPv6 server?

Thu Mar 25, 2021 4:43 am

About ND-based host tracking, I don't think it can be hooked up to DNS management or even to monitoring with user-friendly names.
That's not the case - we have hundreds of linux servers, APs, UPS's, PDU's, switches, etc all on SLAAC. We have to manually create a single DNS record for each, but the address does not change. For the servers we turn off the privacy extensions, whereas devices like APs, UPS's, PDU's, and switches will not have privacy extensions support to begin with.

ND-based host tracking is really only an issue where you are dealing with subnets and ranges that end users will connect to, especially in BYOD situations. In those cases they can get multiple addresses using SLAAC and tracking requires some specialized service.
 
CyberaxIzh
just joined
Topic Author
Posts: 9
Joined: Fri Mar 19, 2021 8:30 am

Re: IPv6 DHCPv6 server?

Thu Mar 25, 2021 6:26 am

ND-based host tracking is really only an issue where you are dealing with subnets and ranges that end users will connect to, especially in BYOD situations. In those cases they can get multiple addresses using SLAAC and tracking requires some specialized service.
To be fair, desktop macOS and Windows both support DHCPv6 so this allows to provide visibility into them.

I've contacted the UPS vendor and they'll send me a new card for testing, apparently SLAAC is supposed to work. We'll see.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 DHCPv6 server?

Thu Mar 25, 2021 7:43 am

I think the reason that Google is pushing this a bit is try to avoid having IPv6 set up in the same way as IPv4 just because it was the way that things were always done.

Tons of people also want NAT66 otherwise they don't ever want to use IPv6. It is completely misguided thinking, where they believe that NAT provides security that a stateful firewall cannot.

NAT66 has its purposes as does stateful DHCPv6. But it is also super easy, especially if you are unfamiliar with IPv6, to deploy stateful DHCPv6 where it is unnecessary as a knee-jerk response because stateful DHCP is familiar from IPv4.

I'm not sure I agree necessarily with Google trying to force people on this, but there has to be some education on best practices, otherwise the IPv6 internet will be filled with customers who NAT66 everything for "security" so that they "hide their IPs", and deploy stateful DHCPv6 because "how else do you get IPs without DHCP or static?".

I do feel there is a need for a better overall strategy or solution for tracking and dynamic DNS for hosts that generate addresses via SLAAC that would work in a predictable cross-platform way that could be leveraged by enterprise tools, especially for these sort of BYOD situations where external devices can enter the network at any time.
 
CyberaxIzh
just joined
Topic Author
Posts: 9
Joined: Fri Mar 19, 2021 8:30 am

Re: IPv6 DHCPv6 server?

Wed Mar 31, 2021 8:23 am

So the vendor sent me a replacement card. It works fine with SLAAC. But I guess they overdid it, it gets a MAC-based address and a bunch of privacy addresses. Not really a problem, because I can just always use the normal static MAC-based address and it uses outgoing connections only for NTP and DNS.

I wish IPv6 people thought about extended neighbor discovery to include options for the device accounting....
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPv6 DHCPv6 server?

Wed Mar 31, 2021 10:41 am

So the vendor sent me a replacement card. It works fine with SLAAC. But I guess they overdid it, it gets a MAC-based address and a bunch of privacy addresses.
Yeah, that is a little strange. A UPS shouldn't need privacy addresses under any scenario - they should just have that disabled so it only has the one EUI64-based address.

Who is online

Users browsing this forum: No registered users and 25 guests